Analysis
-
max time kernel
107s -
max time network
109s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:37
General
-
Target
Scan 0007052020.exe
-
Size
520KB
-
MD5
06d49c3d910b149dc1f89341b0209c7e
-
SHA1
eee501121dd58f5e9e837a346436eedd89719ccf
-
SHA256
03ffe4f20fb755df6d624c00fa8146eb3870b55fa5356d25b50ebfc197f7ade4
-
SHA512
e8041f5f462e14e4a004fe353582e90231be9b05a6d6ec7a32ec73602d849db3d1d2f4be1409970144a1dfe1475a16d7b4f2cf9fbe16a86e30754b0675fa92dd
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
victor77514@yandex.com - Password:
Great@12345
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe"C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/472-116-0x0000000000449FCE-mapping.dmp
-
memory/472-115-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/472-118-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/472-117-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/576-114-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmpFilesize
2.5MB