Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-11-2020 07:51
Static task
static1
Behavioral task
behavioral1
Sample
PI.exe
Resource
win7v20201028
General
-
Target
PI.exe
-
Size
964KB
-
MD5
dbda32339a6965fefc794f220f944016
-
SHA1
3e53b09125eb1e031f5f0e777836ba738b84fc42
-
SHA256
c62b96f303f538748543747d1dacb97119dd9826b53ef6c8350b5b24d69f0006
-
SHA512
be3282f1211845289f41775cd423312efca1a5cccfa5bfbf5a4baa31bb55b6067b0d40db3f82113c0166998c4bfd9459699bd0673acc68e3c5320244513a05fb
Malware Config
Extracted
Protocol: smtp- Host:
mail.hybridgroupco.com - Port:
587 - Username:
info@hybridgroupco.com - Password:
Obinna123@@@
Extracted
agenttesla
Protocol: smtp- Host:
mail.hybridgroupco.com - Port:
587 - Username:
info@hybridgroupco.com - Password:
Obinna123@@@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1924-3-0x00000000004D74C0-mapping.dmp family_agenttesla behavioral2/memory/1924-6-0x0000000000400000-0x00000000004D9000-memory.dmp family_agenttesla behavioral2/memory/1924-8-0x0000000002210000-0x0000000002276000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/1924-2-0x0000000000400000-0x00000000004D9000-memory.dmp upx behavioral2/memory/1924-5-0x0000000000400000-0x00000000004D9000-memory.dmp upx behavioral2/memory/1924-6-0x0000000000400000-0x00000000004D9000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs notepad.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PI.exedescription pid process target process PID 648 set thread context of 1924 648 PI.exe PI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PI.exePI.exepid process 648 PI.exe 648 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe 2072 PI.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
PI.exepid process 648 PI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PI.exedescription pid process Token: SeDebugPrivilege 1924 PI.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
PI.exedescription pid process target process PID 648 wrote to memory of 1728 648 PI.exe notepad.exe PID 648 wrote to memory of 1728 648 PI.exe notepad.exe PID 648 wrote to memory of 1728 648 PI.exe notepad.exe PID 648 wrote to memory of 1728 648 PI.exe notepad.exe PID 648 wrote to memory of 1728 648 PI.exe notepad.exe PID 648 wrote to memory of 1924 648 PI.exe PI.exe PID 648 wrote to memory of 1924 648 PI.exe PI.exe PID 648 wrote to memory of 1924 648 PI.exe PI.exe PID 648 wrote to memory of 2072 648 PI.exe PI.exe PID 648 wrote to memory of 2072 648 PI.exe PI.exe PID 648 wrote to memory of 2072 648 PI.exe PI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe" 2 1924 2592814682⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/648-0-0x0000000000400000-0x00000000004F7000-memory.dmpFilesize
988KB
-
memory/1728-1-0x0000000000000000-mapping.dmp
-
memory/1924-2-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB
-
memory/1924-3-0x00000000004D74C0-mapping.dmp
-
memory/1924-5-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB
-
memory/1924-6-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB
-
memory/1924-8-0x0000000002210000-0x0000000002276000-memory.dmpFilesize
408KB
-
memory/1924-9-0x0000000002192000-0x0000000002193000-memory.dmpFilesize
4KB
-
memory/2072-4-0x0000000000000000-mapping.dmp
-
memory/2072-7-0x0000000000400000-0x00000000004F7000-memory.dmpFilesize
988KB