Analysis

  • max time kernel
    38s
  • max time network
    104s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    24-11-2020 02:32

General

  • Target

    a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe

  • Size

    590KB

  • MD5

    6611edb58235884e8499d12cdfa808be

  • SHA1

    7d1f2d13c59930dbb8e2547f3748215da9f20ee9

  • SHA256

    a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d

  • SHA512

    283769a041c725cfca6501b47979d8a51695535f701dca45d0c444a5e0d903e40a19ca98adc26f54998f2a4c27b9772bd821196c19f2b6ba485c837d79c803c2

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • AgentTesla Payload 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies service 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe
    "C:\Users\Admin\AppData\Local\Temp\a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe
      C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe daut
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe
        "C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe"
        3⤵
        • Executes dropped EXE
        PID:544
      • C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe
        "C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe"
        3⤵
        • Executes dropped EXE
        • Modifies service
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:868
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1576
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 3
            5⤵
            • Runs ping.exe
            PID:816

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe

    MD5

    11d71c92fb114168431892a73963cb15

    SHA1

    6467448f5b6dfb4f0cd77e218e6e4bfbe8a61696

    SHA256

    18f4e6a6483a5684d61942d56cc20abc1ed690aa03910c9a3ebe24e71da8cf94

    SHA512

    e3d2b822acf17d3c63e1efad5ef2dfc5ff3a2fdbed9a1b3791e1175fc674f62c0be2ef618d0a4a36e4e5c96c5399a3d53e0e3c0102b2a9324aa30641d301e6be

  • C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe

    MD5

    11d71c92fb114168431892a73963cb15

    SHA1

    6467448f5b6dfb4f0cd77e218e6e4bfbe8a61696

    SHA256

    18f4e6a6483a5684d61942d56cc20abc1ed690aa03910c9a3ebe24e71da8cf94

    SHA512

    e3d2b822acf17d3c63e1efad5ef2dfc5ff3a2fdbed9a1b3791e1175fc674f62c0be2ef618d0a4a36e4e5c96c5399a3d53e0e3c0102b2a9324aa30641d301e6be

  • C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe

    MD5

    11d71c92fb114168431892a73963cb15

    SHA1

    6467448f5b6dfb4f0cd77e218e6e4bfbe8a61696

    SHA256

    18f4e6a6483a5684d61942d56cc20abc1ed690aa03910c9a3ebe24e71da8cf94

    SHA512

    e3d2b822acf17d3c63e1efad5ef2dfc5ff3a2fdbed9a1b3791e1175fc674f62c0be2ef618d0a4a36e4e5c96c5399a3d53e0e3c0102b2a9324aa30641d301e6be

  • C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe

    MD5

    11d71c92fb114168431892a73963cb15

    SHA1

    6467448f5b6dfb4f0cd77e218e6e4bfbe8a61696

    SHA256

    18f4e6a6483a5684d61942d56cc20abc1ed690aa03910c9a3ebe24e71da8cf94

    SHA512

    e3d2b822acf17d3c63e1efad5ef2dfc5ff3a2fdbed9a1b3791e1175fc674f62c0be2ef618d0a4a36e4e5c96c5399a3d53e0e3c0102b2a9324aa30641d301e6be

  • memory/816-19-0x0000000000000000-mapping.dmp

  • memory/868-14-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/868-10-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/868-11-0x000000000042040E-mapping.dmp

  • memory/868-13-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/868-15-0x0000000073F40000-0x000000007462E000-memory.dmp

    Filesize

    6.9MB

  • memory/1532-7-0x0000000002150000-0x000000000218C000-memory.dmp

    Filesize

    240KB

  • memory/1532-8-0x00000000003E0000-0x00000000003F6000-memory.dmp

    Filesize

    88KB

  • memory/1532-1-0x0000000000000000-mapping.dmp

  • memory/1532-4-0x0000000073F40000-0x000000007462E000-memory.dmp

    Filesize

    6.9MB

  • memory/1532-5-0x0000000000980000-0x0000000000981000-memory.dmp

    Filesize

    4KB

  • memory/1576-18-0x0000000000000000-mapping.dmp

  • memory/1808-0-0x000007FEF5BD0000-0x000007FEF5E4A000-memory.dmp

    Filesize

    2.5MB