Vr.rar

General
Target

0x000300000001ac90-122.exe

Filesize

411KB

Completed

25-11-2020 10:47

Score
10 /10
MD5

ceec23bdfaa35e0eeee0bb318f9d339f

SHA1

69337754824f165accef920ec90d25aae72da9ca

SHA256

e6ba7316c20de986784a205b13617c3c13ce4daa628a26d0c2d4bbf0fe7a21c6

Malware Config
Signatures 10

Filter: none

Collection
Credential Access
Discovery
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral19/memory/1080-3-0x0000000006450000-0x0000000006474000-memory.dmpagent_tesla
    behavioral19/memory/1080-4-0x00000000064C0000-0x00000000064E3000-memory.dmpagent_tesla
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    9checkip.amazonaws.com
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    1860PING.EXE
  • Suspicious behavior: EnumeratesProcesses
    0x000300000001ac90-122.exe

    Reported IOCs

    pidprocess
    10800x000300000001ac90-122.exe
  • Suspicious use of AdjustPrivilegeToken
    0x000300000001ac90-122.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege10800x000300000001ac90-122.exe
  • Suspicious use of WriteProcessMemory
    0x000300000001ac90-122.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1080 wrote to memory of 163610800x000300000001ac90-122.execmd.exe
    PID 1080 wrote to memory of 163610800x000300000001ac90-122.execmd.exe
    PID 1080 wrote to memory of 163610800x000300000001ac90-122.execmd.exe
    PID 1080 wrote to memory of 163610800x000300000001ac90-122.execmd.exe
    PID 1636 wrote to memory of 18601636cmd.exePING.EXE
    PID 1636 wrote to memory of 18601636cmd.exePING.EXE
    PID 1636 wrote to memory of 18601636cmd.exePING.EXE
    PID 1636 wrote to memory of 18601636cmd.exePING.EXE
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\0x000300000001ac90-122.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000300000001ac90-122.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""
      Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 3
        Runs ping.exe
        PID:1860
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/1080-0-0x0000000006070000-0x0000000006081000-memory.dmp

                    • memory/1080-1-0x0000000006150000-0x0000000006161000-memory.dmp

                    • memory/1080-2-0x0000000074690000-0x0000000074D7E000-memory.dmp

                    • memory/1080-3-0x0000000006450000-0x0000000006474000-memory.dmp

                    • memory/1080-4-0x00000000064C0000-0x00000000064E3000-memory.dmp

                    • memory/1636-5-0x0000000000000000-mapping.dmp

                    • memory/1860-6-0x0000000000000000-mapping.dmp