Analysis
-
max time kernel
75s -
max time network
133s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
RFQ#2071466.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ#2071466.exe
Resource
win10v20201028
General
-
Target
RFQ#2071466.exe
-
Size
516KB
-
MD5
1ac5867a0b75d47c788950d1a273b83d
-
SHA1
4758d69b44dc4ea857a91b5401f6f9cb316679c6
-
SHA256
9c61e23500bd96aacabe33bf81afe48cddb5bb6bfa61366ba663dff5f58f5034
-
SHA512
5c1141cecdf7f55d3c7f9d6c8ab14b0a7c1b3f9f1532c401cd22454cc95108926603364466df6ab7c8968f6ad6d19e566d7348cc18c1b834e545ba41df1504e4
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
RFQ#2071466.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main RFQ#2071466.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RFQ#2071466.exepid process 364 RFQ#2071466.exe 364 RFQ#2071466.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RFQ#2071466.exedescription pid process Token: SeDebugPrivilege 364 RFQ#2071466.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RFQ#2071466.exepid process 364 RFQ#2071466.exe 364 RFQ#2071466.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1616-59-0x000007FEF7500000-0x000007FEF777A000-memory.dmpFilesize
2.5MB