Analysis
-
max time kernel
265s -
max time network
265s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-11-2020 00:02
General
-
Target
ago.exe
-
Size
216KB
-
MD5
8a22b57fee81a6691ba74ce13ea58f95
-
SHA1
e53b9783088fda62bcd087478eee6658097858c0
-
SHA256
c0854444ad8bd79257dd667fb86b4e395921c709bc00a1e43691219339a546d1
-
SHA512
47de85991716702e121d5f6fb617bf16e542b9e7b08ce3604e1592edd8e5554abfed359636a03fcd59284edf694b8f658fd915ab733816da823c6907317fbf48
Score
7/10
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ago.exe"C:\Users\Admin\AppData\Local\Temp\ago.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/424-0-0x0000000073D50000-0x000000007443E000-memory.dmpFilesize
6.9MB
-
memory/424-1-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/424-3-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/424-4-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/424-5-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/424-6-0x0000000005E60000-0x0000000005E61000-memory.dmpFilesize
4KB
-
memory/424-7-0x00000000069D0000-0x00000000069D1000-memory.dmpFilesize
4KB
-
memory/424-8-0x00000000010C0000-0x00000000010C1000-memory.dmpFilesize
4KB