Vr.rar
0x000300000001ac9f-141.exe
19KB
25-11-2020 10:47
5898d001eedb60a637f9334965e241a9
59d543084a8230ac387dee45b027c47282256d02
08eb269d6c3bfaf4d3cde53a987e0adc96a171235d3c34e3c6e9422920e793dd
Filter: none
-
AgentTesla
Description
Agent Tesla is a remote access tool (RAT) written in visual basic.
Tags
-
RedLine
Description
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
Tags
-
AgentTesla Payload
Tags
Reported IOCs
resource yara_rule behavioral27/memory/1564-10-0x0000000000AA0000-0x0000000000AC4000-memory.dmp agent_tesla behavioral27/memory/1564-16-0x0000000000AD0000-0x0000000000AF2000-memory.dmp agent_tesla -
Executes dropped EXEchrome.exe
Reported IOCs
pid process 1564 chrome.exe -
Loads dropped DLL0x000300000001ac9f-141.exe
Reported IOCs
pid process 1904 0x000300000001ac9f-141.exe -
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
Reported IOCs
flow ioc 11 checkip.amazonaws.com -
Suspicious use of SetThreadContext0x000300000001ac9f-141.exe
Reported IOCs
description pid process target process PID 1904 set thread context of 1564 1904 0x000300000001ac9f-141.exe chrome.exe -
Modifies system certificate store0x000300000001ac9f-141.exe
Tags
TTPs
Reported IOCs
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 0x000300000001ac9f-141.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 0x000300000001ac9f-141.exe -
Runs ping.exePING.EXE
TTPs
Reported IOCs
pid process 1520 PING.EXE -
Suspicious behavior: EnumeratesProcesseschrome.exe
Reported IOCs
pid process 1564 chrome.exe -
Suspicious use of AdjustPrivilegeToken0x000300000001ac9f-141.exechrome.exe
Reported IOCs
description pid process Token: SeDebugPrivilege 1904 0x000300000001ac9f-141.exe Token: SeDebugPrivilege 1564 chrome.exe -
Suspicious use of WriteProcessMemory0x000300000001ac9f-141.exechrome.execmd.exe
Reported IOCs
description pid process target process PID 1904 wrote to memory of 1564 1904 0x000300000001ac9f-141.exe chrome.exe PID 1904 wrote to memory of 1564 1904 0x000300000001ac9f-141.exe chrome.exe PID 1904 wrote to memory of 1564 1904 0x000300000001ac9f-141.exe chrome.exe PID 1904 wrote to memory of 1564 1904 0x000300000001ac9f-141.exe chrome.exe PID 1904 wrote to memory of 1564 1904 0x000300000001ac9f-141.exe chrome.exe PID 1904 wrote to memory of 1564 1904 0x000300000001ac9f-141.exe chrome.exe PID 1904 wrote to memory of 1564 1904 0x000300000001ac9f-141.exe chrome.exe PID 1904 wrote to memory of 1564 1904 0x000300000001ac9f-141.exe chrome.exe PID 1904 wrote to memory of 1564 1904 0x000300000001ac9f-141.exe chrome.exe PID 1904 wrote to memory of 1564 1904 0x000300000001ac9f-141.exe chrome.exe PID 1564 wrote to memory of 912 1564 chrome.exe cmd.exe PID 1564 wrote to memory of 912 1564 chrome.exe cmd.exe PID 1564 wrote to memory of 912 1564 chrome.exe cmd.exe PID 1564 wrote to memory of 912 1564 chrome.exe cmd.exe PID 912 wrote to memory of 1520 912 cmd.exe PING.EXE PID 912 wrote to memory of 1520 912 cmd.exe PING.EXE PID 912 wrote to memory of 1520 912 cmd.exe PING.EXE PID 912 wrote to memory of 1520 912 cmd.exe PING.EXE
-
C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9f-141.exePID:1904"C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9f-141.exe"Loads dropped DLLSuspicious use of SetThreadContextModifies system certificate storeSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exePID:1564"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe"Executes dropped EXESuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exePID:912"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPID:1520ping 127.0.0.1 -n 3Runs ping.exe
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe
MD56a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe
MD56a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
memory/912-19-0x0000000000000000-mapping.dmp
-
memory/1520-20-0x0000000000000000-mapping.dmp
-
memory/1564-7-0x0000000000400000-0x0000000000435000-memory.dmp
-
memory/1564-5-0x000000000040CD2F-mapping.dmp
-
memory/1564-4-0x0000000000400000-0x0000000000435000-memory.dmp
-
memory/1564-8-0x0000000000AA0000-0x0000000000AB1000-memory.dmp
-
memory/1564-9-0x00000000742A0000-0x000000007498E000-memory.dmp
-
memory/1564-10-0x0000000000AA0000-0x0000000000AC4000-memory.dmp
-
memory/1564-16-0x0000000000AD0000-0x0000000000AF2000-memory.dmp
-
memory/1904-1-0x00000000008A0000-0x00000000008A1000-memory.dmp
-
memory/1904-0-0x0000000074320000-0x0000000074A0E000-memory.dmp