Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-11-2020 07:51
General
-
Target
PI.exe
-
Size
964KB
-
MD5
dbda32339a6965fefc794f220f944016
-
SHA1
3e53b09125eb1e031f5f0e777836ba738b84fc42
-
SHA256
c62b96f303f538748543747d1dacb97119dd9826b53ef6c8350b5b24d69f0006
-
SHA512
be3282f1211845289f41775cd423312efca1a5cccfa5bfbf5a4baa31bb55b6067b0d40db3f82113c0166998c4bfd9459699bd0673acc68e3c5320244513a05fb
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.hybridgroupco.com - Port:
587 - Username:
info@hybridgroupco.com - Password:
Obinna123@@@
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.hybridgroupco.com - Port:
587 - Username:
info@hybridgroupco.com - Password:
Obinna123@@@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe" 2 1924 2592814682⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/648-0-0x0000000000400000-0x00000000004F7000-memory.dmpFilesize
988KB
-
memory/1728-1-0x0000000000000000-mapping.dmp
-
memory/1924-2-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB
-
memory/1924-3-0x00000000004D74C0-mapping.dmp
-
memory/1924-5-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB
-
memory/1924-6-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB
-
memory/1924-8-0x0000000002210000-0x0000000002276000-memory.dmpFilesize
408KB
-
memory/1924-9-0x0000000002192000-0x0000000002193000-memory.dmpFilesize
4KB
-
memory/2072-4-0x0000000000000000-mapping.dmp
-
memory/2072-7-0x0000000000400000-0x00000000004F7000-memory.dmpFilesize
988KB