Analysis
-
max time kernel
63s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
General
-
Target
RFQ-Powertech Controls Co, Inc.exe
-
Size
529KB
-
MD5
7bf4cb7edeedb6c539eb0beaf28371a7
-
SHA1
96971e2fb4d5ea354cf03925a7b8fd47dd346b1b
-
SHA256
5d100d55c4d2acf92f6f690e546c5a0e7ad6750520809a3f226783d99623aed7
-
SHA512
8b648a440206196618fb46d10076d0bdd3e2cf91a421cc7b1b3cf826005111e04b15dcab6d56d33272904b4257ecb6809f21fa2c1b0dbdaf566a29662ae7c919
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.alvadiwipa.com - Port:
587 - Username:
murti@alvadiwipa.com - Password:
glodokplaza15
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.alvadiwipa.com - Port:
587 - Username:
murti@alvadiwipa.com - Password:
glodokplaza15
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ-Powertech Controls Co, Inc.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-Powertech Controls Co, Inc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2392-3-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2392-4-0x000000000044BDEE-mapping.dmp