Analysis
-
max time kernel
41s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-11-2020 07:51
Static task
static1
Behavioral task
behavioral1
Sample
PI.exe
Resource
win7v20201028
General
-
Target
PI.exe
-
Size
964KB
-
MD5
dbda32339a6965fefc794f220f944016
-
SHA1
3e53b09125eb1e031f5f0e777836ba738b84fc42
-
SHA256
c62b96f303f538748543747d1dacb97119dd9826b53ef6c8350b5b24d69f0006
-
SHA512
be3282f1211845289f41775cd423312efca1a5cccfa5bfbf5a4baa31bb55b6067b0d40db3f82113c0166998c4bfd9459699bd0673acc68e3c5320244513a05fb
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.hybridgroupco.com - Port:
587 - Username:
info@hybridgroupco.com - Password:
Obinna123@@@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1620-7-0x0000000000400000-0x00000000004D9000-memory.dmp family_agenttesla behavioral1/memory/1620-4-0x00000000004D74C0-mapping.dmp family_agenttesla behavioral1/memory/1620-8-0x00000000004E0000-0x0000000000546000-memory.dmp family_agenttesla behavioral1/memory/1620-11-0x00000000002B0000-0x0000000000310000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/1620-3-0x0000000000400000-0x00000000004D9000-memory.dmp upx behavioral1/memory/1620-5-0x0000000000400000-0x00000000004D9000-memory.dmp upx behavioral1/memory/1620-7-0x0000000000400000-0x00000000004D9000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs notepad.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PI.exedescription pid process target process PID 2036 set thread context of 1620 2036 PI.exe PI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PI.exePI.exepid process 2036 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe 1584 PI.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
PI.exepid process 2036 PI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PI.exedescription pid process Token: SeDebugPrivilege 1620 PI.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
PI.exedescription pid process target process PID 2036 wrote to memory of 1688 2036 PI.exe notepad.exe PID 2036 wrote to memory of 1688 2036 PI.exe notepad.exe PID 2036 wrote to memory of 1688 2036 PI.exe notepad.exe PID 2036 wrote to memory of 1688 2036 PI.exe notepad.exe PID 2036 wrote to memory of 1688 2036 PI.exe notepad.exe PID 2036 wrote to memory of 1688 2036 PI.exe notepad.exe PID 2036 wrote to memory of 1620 2036 PI.exe PI.exe PID 2036 wrote to memory of 1620 2036 PI.exe PI.exe PID 2036 wrote to memory of 1620 2036 PI.exe PI.exe PID 2036 wrote to memory of 1620 2036 PI.exe PI.exe PID 2036 wrote to memory of 1584 2036 PI.exe PI.exe PID 2036 wrote to memory of 1584 2036 PI.exe PI.exe PID 2036 wrote to memory of 1584 2036 PI.exe PI.exe PID 2036 wrote to memory of 1584 2036 PI.exe PI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe" 2 1620 2592640202⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1584-6-0x0000000000000000-mapping.dmp
-
memory/1584-9-0x0000000000400000-0x00000000004F7000-memory.dmpFilesize
988KB
-
memory/1620-3-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB
-
memory/1620-5-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB
-
memory/1620-7-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB
-
memory/1620-4-0x00000000004D74C0-mapping.dmp
-
memory/1620-8-0x00000000004E0000-0x0000000000546000-memory.dmpFilesize
408KB
-
memory/1620-11-0x00000000002B0000-0x0000000000310000-memory.dmpFilesize
384KB
-
memory/1620-10-0x00000000003F2000-0x00000000003F3000-memory.dmpFilesize
4KB
-
memory/1688-1-0x0000000000000000-mapping.dmp
-
memory/1688-2-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/2036-0-0x0000000000400000-0x00000000004F7000-memory.dmpFilesize
988KB