Analysis
-
max time kernel
69s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
General
-
Target
STATEMENT OF ACCOUNT.exe
-
Size
515KB
-
MD5
1fb7e84ceaa0d66100e242b493b003ef
-
SHA1
2e9ec07aaa9dc744e8bfad320a2b7df0a8a7301b
-
SHA256
d91e999a7466f56e8cc31598ac1735c57a6d864fb8eb5044fc6a1bcf8f5f4f13
-
SHA512
13f34af2473eb0d2f2cfd609b840df48bf3b93e8d1be25400d23cafac90fd2d640a31c496b1d01ea5da1c2315b4a1caa298d08ef56e6cca929fe73b17d60e802
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
sly-originlogs@yandex.ru - Password:
JesusChrist007
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx