Analysis
-
max time kernel
107s -
max time network
109s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
Scan 0007052020.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Scan 0007052020.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Scan 0007052020.exe
-
Size
520KB
-
MD5
06d49c3d910b149dc1f89341b0209c7e
-
SHA1
eee501121dd58f5e9e837a346436eedd89719ccf
-
SHA256
03ffe4f20fb755df6d624c00fa8146eb3870b55fa5356d25b50ebfc197f7ade4
-
SHA512
e8041f5f462e14e4a004fe353582e90231be9b05a6d6ec7a32ec73602d849db3d1d2f4be1409970144a1dfe1475a16d7b4f2cf9fbe16a86e30754b0675fa92dd
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
victor77514@yandex.com - Password:
Great@12345
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/472-116-0x0000000000449FCE-mapping.dmp family_agenttesla behavioral1/memory/472-115-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla behavioral1/memory/472-118-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla behavioral1/memory/472-117-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Scan 0007052020.exedescription pid process target process PID 1664 set thread context of 472 1664 Scan 0007052020.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 472 RegSvcs.exe 472 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Scan 0007052020.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1664 Scan 0007052020.exe Token: SeDebugPrivilege 472 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Scan 0007052020.exepid process 1664 Scan 0007052020.exe 1664 Scan 0007052020.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Scan 0007052020.exedescription pid process target process PID 1664 wrote to memory of 472 1664 Scan 0007052020.exe RegSvcs.exe PID 1664 wrote to memory of 472 1664 Scan 0007052020.exe RegSvcs.exe PID 1664 wrote to memory of 472 1664 Scan 0007052020.exe RegSvcs.exe PID 1664 wrote to memory of 472 1664 Scan 0007052020.exe RegSvcs.exe PID 1664 wrote to memory of 472 1664 Scan 0007052020.exe RegSvcs.exe PID 1664 wrote to memory of 472 1664 Scan 0007052020.exe RegSvcs.exe PID 1664 wrote to memory of 472 1664 Scan 0007052020.exe RegSvcs.exe PID 1664 wrote to memory of 472 1664 Scan 0007052020.exe RegSvcs.exe PID 1664 wrote to memory of 472 1664 Scan 0007052020.exe RegSvcs.exe PID 1664 wrote to memory of 472 1664 Scan 0007052020.exe RegSvcs.exe PID 1664 wrote to memory of 472 1664 Scan 0007052020.exe RegSvcs.exe PID 1664 wrote to memory of 472 1664 Scan 0007052020.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe"C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/472-116-0x0000000000449FCE-mapping.dmp
-
memory/472-115-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/472-118-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/472-117-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/576-114-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmpFilesize
2.5MB