Vr.rar

General
Target

0x000300000001ac9f-141.exe

Filesize

19KB

Completed

25-11-2020 10:47

Score
10 /10
MD5

5898d001eedb60a637f9334965e241a9

SHA1

59d543084a8230ac387dee45b027c47282256d02

SHA256

08eb269d6c3bfaf4d3cde53a987e0adc96a171235d3c34e3c6e9422920e793dd

Malware Config
Signatures 14

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral27/memory/1564-10-0x0000000000AA0000-0x0000000000AC4000-memory.dmpagent_tesla
    behavioral27/memory/1564-16-0x0000000000AD0000-0x0000000000AF2000-memory.dmpagent_tesla
  • Executes dropped EXE
    chrome.exe

    Reported IOCs

    pidprocess
    1564chrome.exe
  • Loads dropped DLL
    0x000300000001ac9f-141.exe

    Reported IOCs

    pidprocess
    19040x000300000001ac9f-141.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    11checkip.amazonaws.com
  • Suspicious use of SetThreadContext
    0x000300000001ac9f-141.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1904 set thread context of 156419040x000300000001ac9f-141.exechrome.exe
  • Modifies system certificate store
    0x000300000001ac9f-141.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C130x000300000001ac9f-141.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d823535100x000300000001ac9f-141.exe
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    1520PING.EXE
  • Suspicious behavior: EnumeratesProcesses
    chrome.exe

    Reported IOCs

    pidprocess
    1564chrome.exe
  • Suspicious use of AdjustPrivilegeToken
    0x000300000001ac9f-141.exechrome.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege19040x000300000001ac9f-141.exe
    Token: SeDebugPrivilege1564chrome.exe
  • Suspicious use of WriteProcessMemory
    0x000300000001ac9f-141.exechrome.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1904 wrote to memory of 156419040x000300000001ac9f-141.exechrome.exe
    PID 1904 wrote to memory of 156419040x000300000001ac9f-141.exechrome.exe
    PID 1904 wrote to memory of 156419040x000300000001ac9f-141.exechrome.exe
    PID 1904 wrote to memory of 156419040x000300000001ac9f-141.exechrome.exe
    PID 1904 wrote to memory of 156419040x000300000001ac9f-141.exechrome.exe
    PID 1904 wrote to memory of 156419040x000300000001ac9f-141.exechrome.exe
    PID 1904 wrote to memory of 156419040x000300000001ac9f-141.exechrome.exe
    PID 1904 wrote to memory of 156419040x000300000001ac9f-141.exechrome.exe
    PID 1904 wrote to memory of 156419040x000300000001ac9f-141.exechrome.exe
    PID 1904 wrote to memory of 156419040x000300000001ac9f-141.exechrome.exe
    PID 1564 wrote to memory of 9121564chrome.execmd.exe
    PID 1564 wrote to memory of 9121564chrome.execmd.exe
    PID 1564 wrote to memory of 9121564chrome.execmd.exe
    PID 1564 wrote to memory of 9121564chrome.execmd.exe
    PID 912 wrote to memory of 1520912cmd.exePING.EXE
    PID 912 wrote to memory of 1520912cmd.exePING.EXE
    PID 912 wrote to memory of 1520912cmd.exePING.EXE
    PID 912 wrote to memory of 1520912cmd.exePING.EXE
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9f-141.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9f-141.exe"
    Loads dropped DLL
    Suspicious use of SetThreadContext
    Modifies system certificate store
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe
      "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe"
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""
        Suspicious use of WriteProcessMemory
        PID:912
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          Runs ping.exe
          PID:1520
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe

                    MD5

                    6a673bfc3b67ae9782cb31af2f234c68

                    SHA1

                    7544e89566d91e84e3cd437b9a073e5f6b56566e

                    SHA256

                    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

                    SHA512

                    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

                  • \Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe

                    MD5

                    6a673bfc3b67ae9782cb31af2f234c68

                    SHA1

                    7544e89566d91e84e3cd437b9a073e5f6b56566e

                    SHA256

                    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

                    SHA512

                    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

                  • memory/912-19-0x0000000000000000-mapping.dmp

                  • memory/1520-20-0x0000000000000000-mapping.dmp

                  • memory/1564-7-0x0000000000400000-0x0000000000435000-memory.dmp

                  • memory/1564-5-0x000000000040CD2F-mapping.dmp

                  • memory/1564-4-0x0000000000400000-0x0000000000435000-memory.dmp

                  • memory/1564-8-0x0000000000AA0000-0x0000000000AB1000-memory.dmp

                  • memory/1564-9-0x00000000742A0000-0x000000007498E000-memory.dmp

                  • memory/1564-10-0x0000000000AA0000-0x0000000000AC4000-memory.dmp

                  • memory/1564-16-0x0000000000AD0000-0x0000000000AF2000-memory.dmp

                  • memory/1904-1-0x00000000008A0000-0x00000000008A1000-memory.dmp

                  • memory/1904-0-0x0000000074320000-0x0000000074A0E000-memory.dmp