Vr.rar

backendhorse2
featuresanalog, overview
max_time_kernel42500
max_time_network110142
platformwindows10_x64
resourcewin10v20201028
submitted25-11-2020 10:45

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

0x000300000001ac9f-141.exe

Filesize

19KB

Completed

25-11-2020 10:47

Score

10 ^/10

MD5

5898d001eedb60a637f9334965e241a9

SHA1

59d543084a8230ac387dee45b027c47282256d02

SHA256

08eb269d6c3bfaf4d3cde53a987e0adc96a171235d3c34e3c6e9422920e793dd

Collection

Credential Access

Discovery

AgentTesla

Description

Agent Tesla is a remote access tool (RAT) written in visual basic.

Tags

keylogger trojan stealer spyware agenttesla
RedLine

Description

RedLine Stealer is a malware family written in C#, first appearing in early 2020.

Tags

infostealer redline

AgentTesla Payload

Reported IOCs

resource	yara_rule
behavioral28/memory/1640-10-0x0000000000EC0000-0x0000000000EE4000-memory.dmp	agent_tesla
behavioral28/memory/1640-12-0x00000000028E0000-0x0000000002902000-memory.dmp	agent_tesla

Executes dropped EXE
chrome.exechrome.exe

Reported IOCs

pid process

2976 chrome.exe
1640 chrome.exe
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local SystemCredentials in Files
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Looks up external IP address via web service

Description

Uses a legitimate IP lookup service to find the infected system's external IP.

Reported IOCs

flow ioc

24 checkip.amazonaws.com
Suspicious use of SetThreadContext
0x000300000001ac9f-141.exe

Reported IOCs

description pid process target process

PID 2484 set thread context of 1640 2484 0x000300000001ac9f-141.exe chrome.exe
Runs ping.exe
PING.EXE

TTPs

Remote System Discovery

Reported IOCs

pid process

3692 PING.EXE
Suspicious behavior: EnumeratesProcesses
0x000300000001ac9f-141.exechrome.exe

Reported IOCs

pid process

2484 0x000300000001ac9f-141.exe
2484 0x000300000001ac9f-141.exe
1640 chrome.exe
Suspicious use of AdjustPrivilegeToken
0x000300000001ac9f-141.exechrome.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 2484 0x000300000001ac9f-141.exe
Token: SeDebugPrivilege 1640 chrome.exe

pid	process
2976	chrome.exe
1640	chrome.exe

flow	ioc
24	checkip.amazonaws.com

description	pid	process	target process
PID 2484 set thread context of 1640	2484	0x000300000001ac9f-141.exe	chrome.exe

pid	process
3692	PING.EXE

pid	process
2484	0x000300000001ac9f-141.exe
2484	0x000300000001ac9f-141.exe
1640	chrome.exe

description	pid	process
Token: SeDebugPrivilege	2484	0x000300000001ac9f-141.exe
Token: SeDebugPrivilege	1640	chrome.exe

Suspicious use of WriteProcessMemory

0x000300000001ac9f-141.exechrome.execmd.exe

Reported IOCs

description	pid	process	target process
PID 2484 wrote to memory of 2976	2484	0x000300000001ac9f-141.exe	chrome.exe
PID 2484 wrote to memory of 2976	2484	0x000300000001ac9f-141.exe	chrome.exe
PID 2484 wrote to memory of 2976	2484	0x000300000001ac9f-141.exe	chrome.exe
PID 2484 wrote to memory of 1640	2484	0x000300000001ac9f-141.exe	chrome.exe
PID 2484 wrote to memory of 1640	2484	0x000300000001ac9f-141.exe	chrome.exe
PID 2484 wrote to memory of 1640	2484	0x000300000001ac9f-141.exe	chrome.exe
PID 2484 wrote to memory of 1640	2484	0x000300000001ac9f-141.exe	chrome.exe
PID 2484 wrote to memory of 1640	2484	0x000300000001ac9f-141.exe	chrome.exe
PID 2484 wrote to memory of 1640	2484	0x000300000001ac9f-141.exe	chrome.exe
PID 2484 wrote to memory of 1640	2484	0x000300000001ac9f-141.exe	chrome.exe
PID 2484 wrote to memory of 1640	2484	0x000300000001ac9f-141.exe	chrome.exe
PID 2484 wrote to memory of 1640	2484	0x000300000001ac9f-141.exe	chrome.exe
PID 1640 wrote to memory of 2236	1640	chrome.exe	cmd.exe
PID 1640 wrote to memory of 2236	1640	chrome.exe	cmd.exe
PID 1640 wrote to memory of 2236	1640	chrome.exe	cmd.exe
PID 2236 wrote to memory of 3692	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 3692	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 3692	2236	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9f-141.exe

"C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9f-141.exe"

Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:2484

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe

"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe"

Executes dropped EXE

PID:2976

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe

"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe"

Executes dropped EXE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1640

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""

Suspicious use of WriteProcessMemory

PID:2236

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 3

Runs ping.exe

PID:3692

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
memory/1640-24-0x00000000083E0000-0x00000000083E1000-memory.dmp

Download
memory/1640-4-0x0000000000400000-0x0000000000435000-memory.dmp

Download
memory/1640-5-0x000000000040CD2F-mapping.dmp

Download
memory/1640-22-0x0000000006C50000-0x0000000006C51000-memory.dmp

Download
memory/1640-7-0x0000000000400000-0x0000000000435000-memory.dmp

Download
memory/1640-8-0x0000000002940000-0x0000000002941000-memory.dmp

Download
memory/1640-9-0x0000000073D40000-0x000000007442E000-memory.dmp

Download
memory/1640-10-0x0000000000EC0000-0x0000000000EE4000-memory.dmp

Download
memory/1640-11-0x0000000005610000-0x0000000005611000-memory.dmp

Download
memory/1640-12-0x00000000028E0000-0x0000000002902000-memory.dmp

Download
memory/1640-13-0x0000000006120000-0x0000000006121000-memory.dmp

Download
memory/1640-14-0x0000000005020000-0x0000000005021000-memory.dmp

Download
memory/1640-15-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Download
memory/1640-16-0x0000000005070000-0x0000000005071000-memory.dmp

Download
memory/1640-17-0x0000000005310000-0x0000000005311000-memory.dmp

Download
memory/1640-18-0x0000000006A00000-0x0000000006A01000-memory.dmp

Download
memory/1640-19-0x0000000007100000-0x0000000007101000-memory.dmp

Download
memory/1640-20-0x0000000006910000-0x0000000006911000-memory.dmp

Download
memory/1640-21-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Download
memory/1640-23-0x0000000006F20000-0x0000000006F21000-memory.dmp

Download
memory/2236-25-0x0000000000000000-mapping.dmp

Download
memory/2484-0-0x0000000073D40000-0x000000007442E000-memory.dmp

Download
memory/2484-1-0x0000000000C00000-0x0000000000C01000-memory.dmp

Download
memory/3692-26-0x0000000000000000-mapping.dmp

Download

Vr.rar

Filter: none

Description

Tags

Description

Tags

Tags

Reported IOCs

Reported IOCs

Description

Tags

TTPs

Description

Tags

TTPs

Description

Reported IOCs

Reported IOCs

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title