Analysis
-
max time kernel
135s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:22
Static task
static1
Behavioral task
behavioral1
Sample
7ec490cadb46d941cf22039f839e5688.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
7ec490cadb46d941cf22039f839e5688.exe
Resource
win10v20201028
General
-
Target
7ec490cadb46d941cf22039f839e5688.exe
-
Size
476KB
-
MD5
7ec490cadb46d941cf22039f839e5688
-
SHA1
fe05ea713895882c0f80045e6b5eb3db15f97d12
-
SHA256
71502c5ab4ccd1d224efd3ca833f145086a50805c7ca1f7cb48d9ea2f96ffd18
-
SHA512
be9e01965465225605f77312d5ec7085dc8418b680db3272a226a3dec2b902f188748039edc179dc5254bdaba9a7c101bd48b4fff926e50dd909bc28fbab20c7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.ecojett.co - Port:
587 - Username:
ikeji@ecojett.co - Password:
HZnUICj1
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral2/memory/728-4-0x0000000005050000-0x0000000005052000-memory.dmp coreentity -
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1344-9-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral2/memory/1344-10-0x000000000044A49E-mapping.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/728-6-0x00000000055C0000-0x0000000005611000-memory.dmp rezer0 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
7ec490cadb46d941cf22039f839e5688.exedescription pid process target process PID 728 set thread context of 1344 728 7ec490cadb46d941cf22039f839e5688.exe 7ec490cadb46d941cf22039f839e5688.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7ec490cadb46d941cf22039f839e5688.exepid process 1344 7ec490cadb46d941cf22039f839e5688.exe 1344 7ec490cadb46d941cf22039f839e5688.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7ec490cadb46d941cf22039f839e5688.exe7ec490cadb46d941cf22039f839e5688.exedescription pid process Token: SeDebugPrivilege 728 7ec490cadb46d941cf22039f839e5688.exe Token: SeDebugPrivilege 1344 7ec490cadb46d941cf22039f839e5688.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7ec490cadb46d941cf22039f839e5688.exedescription pid process target process PID 728 wrote to memory of 1344 728 7ec490cadb46d941cf22039f839e5688.exe 7ec490cadb46d941cf22039f839e5688.exe PID 728 wrote to memory of 1344 728 7ec490cadb46d941cf22039f839e5688.exe 7ec490cadb46d941cf22039f839e5688.exe PID 728 wrote to memory of 1344 728 7ec490cadb46d941cf22039f839e5688.exe 7ec490cadb46d941cf22039f839e5688.exe PID 728 wrote to memory of 1344 728 7ec490cadb46d941cf22039f839e5688.exe 7ec490cadb46d941cf22039f839e5688.exe PID 728 wrote to memory of 1344 728 7ec490cadb46d941cf22039f839e5688.exe 7ec490cadb46d941cf22039f839e5688.exe PID 728 wrote to memory of 1344 728 7ec490cadb46d941cf22039f839e5688.exe 7ec490cadb46d941cf22039f839e5688.exe PID 728 wrote to memory of 1344 728 7ec490cadb46d941cf22039f839e5688.exe 7ec490cadb46d941cf22039f839e5688.exe PID 728 wrote to memory of 1344 728 7ec490cadb46d941cf22039f839e5688.exe 7ec490cadb46d941cf22039f839e5688.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ec490cadb46d941cf22039f839e5688.exe"C:\Users\Admin\AppData\Local\Temp\7ec490cadb46d941cf22039f839e5688.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ec490cadb46d941cf22039f839e5688.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7ec490cadb46d941cf22039f839e5688.exe.logMD5
179a315edc48c9f36389c2f6c6df7381
SHA1eea81bdc49cdade53dbe305b9b6d1ed1226624ac
SHA2568bc7fa3629a7470a1a58cd39660fa3f2387f620410560dbd337e809f102403b1
SHA51212c6dabeb0d65e7e7966855a8c1efc8ac8580c206d451daa7e46b3d2e992da6195db16b6c3bb2c497de2352a485ac8f3e949b7e8b134e9860407d0c91f228a26
-
memory/728-7-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/728-1-0x0000000000770000-0x0000000000771000-memory.dmpFilesize
4KB
-
memory/728-4-0x0000000005050000-0x0000000005052000-memory.dmpFilesize
8KB
-
memory/728-5-0x00000000097D0000-0x00000000097D1000-memory.dmpFilesize
4KB
-
memory/728-6-0x00000000055C0000-0x0000000005611000-memory.dmpFilesize
324KB
-
memory/728-0-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/728-8-0x0000000005C60000-0x0000000005C61000-memory.dmpFilesize
4KB
-
memory/728-3-0x00000000076D0000-0x0000000007729000-memory.dmpFilesize
356KB
-
memory/1344-9-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1344-10-0x000000000044A49E-mapping.dmp
-
memory/1344-12-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/1344-17-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/1344-18-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/1344-20-0x0000000006060000-0x0000000006061000-memory.dmpFilesize
4KB