Analysis
-
max time kernel
63s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
RFQ-Powertech Controls Co, Inc.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RFQ-Powertech Controls Co, Inc.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
RFQ-Powertech Controls Co, Inc.exe
-
Size
529KB
-
MD5
7bf4cb7edeedb6c539eb0beaf28371a7
-
SHA1
96971e2fb4d5ea354cf03925a7b8fd47dd346b1b
-
SHA256
5d100d55c4d2acf92f6f690e546c5a0e7ad6750520809a3f226783d99623aed7
-
SHA512
8b648a440206196618fb46d10076d0bdd3e2cf91a421cc7b1b3cf826005111e04b15dcab6d56d33272904b4257ecb6809f21fa2c1b0dbdaf566a29662ae7c919
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.alvadiwipa.com - Port:
587 - Username:
murti@alvadiwipa.com - Password:
glodokplaza15
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.alvadiwipa.com - Port:
587 - Username:
murti@alvadiwipa.com - Password:
glodokplaza15
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2392-3-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral2/memory/2392-4-0x000000000044BDEE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ-Powertech Controls Co, Inc.exedescription pid process target process PID 3980 set thread context of 2392 3980 RFQ-Powertech Controls Co, Inc.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 2392 MSBuild.exe 2392 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ-Powertech Controls Co, Inc.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 3980 RFQ-Powertech Controls Co, Inc.exe Token: SeDebugPrivilege 2392 MSBuild.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RFQ-Powertech Controls Co, Inc.exepid process 3980 RFQ-Powertech Controls Co, Inc.exe 3980 RFQ-Powertech Controls Co, Inc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
RFQ-Powertech Controls Co, Inc.exedescription pid process target process PID 3980 wrote to memory of 2392 3980 RFQ-Powertech Controls Co, Inc.exe MSBuild.exe PID 3980 wrote to memory of 2392 3980 RFQ-Powertech Controls Co, Inc.exe MSBuild.exe PID 3980 wrote to memory of 2392 3980 RFQ-Powertech Controls Co, Inc.exe MSBuild.exe PID 3980 wrote to memory of 2392 3980 RFQ-Powertech Controls Co, Inc.exe MSBuild.exe PID 3980 wrote to memory of 2392 3980 RFQ-Powertech Controls Co, Inc.exe MSBuild.exe PID 3980 wrote to memory of 2392 3980 RFQ-Powertech Controls Co, Inc.exe MSBuild.exe PID 3980 wrote to memory of 2392 3980 RFQ-Powertech Controls Co, Inc.exe MSBuild.exe PID 3980 wrote to memory of 2392 3980 RFQ-Powertech Controls Co, Inc.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ-Powertech Controls Co, Inc.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-Powertech Controls Co, Inc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken