Analysis

  • max time kernel
    42s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    25-11-2020 10:45

General

  • Target

    0x000300000001ac9f-141.exe

  • Size

    19KB

  • MD5

    5898d001eedb60a637f9334965e241a9

  • SHA1

    59d543084a8230ac387dee45b027c47282256d02

  • SHA256

    08eb269d6c3bfaf4d3cde53a987e0adc96a171235d3c34e3c6e9422920e793dd

  • SHA512

    d8be87bddd9f289597221d864370dfdd1ea94d2910837e211f34eec0fee56477672d98bd0565059389ff6d9ac79002f0ffa792feb84db02b18f432c6174e71e0

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • AgentTesla Payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9f-141.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9f-141.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe
      "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe"
      2⤵
      • Executes dropped EXE
      PID:2976
    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe
      "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2236
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          4⤵
          • Runs ping.exe
          PID:3692

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

  • memory/1640-13-0x0000000006120000-0x0000000006121000-memory.dmp
    Filesize

    4KB

  • memory/1640-24-0x00000000083E0000-0x00000000083E1000-memory.dmp
    Filesize

    4KB

  • memory/1640-5-0x000000000040CD2F-mapping.dmp
  • memory/1640-14-0x0000000005020000-0x0000000005021000-memory.dmp
    Filesize

    4KB

  • memory/1640-7-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

  • memory/1640-8-0x0000000002940000-0x0000000002941000-memory.dmp
    Filesize

    4KB

  • memory/1640-9-0x0000000073D40000-0x000000007442E000-memory.dmp
    Filesize

    6.9MB

  • memory/1640-10-0x0000000000EC0000-0x0000000000EE4000-memory.dmp
    Filesize

    144KB

  • memory/1640-11-0x0000000005610000-0x0000000005611000-memory.dmp
    Filesize

    4KB

  • memory/1640-12-0x00000000028E0000-0x0000000002902000-memory.dmp
    Filesize

    136KB

  • memory/1640-23-0x0000000006F20000-0x0000000006F21000-memory.dmp
    Filesize

    4KB

  • memory/1640-4-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

  • memory/1640-17-0x0000000005310000-0x0000000005311000-memory.dmp
    Filesize

    4KB

  • memory/1640-16-0x0000000005070000-0x0000000005071000-memory.dmp
    Filesize

    4KB

  • memory/1640-15-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
    Filesize

    4KB

  • memory/1640-18-0x0000000006A00000-0x0000000006A01000-memory.dmp
    Filesize

    4KB

  • memory/1640-19-0x0000000007100000-0x0000000007101000-memory.dmp
    Filesize

    4KB

  • memory/1640-20-0x0000000006910000-0x0000000006911000-memory.dmp
    Filesize

    4KB

  • memory/1640-21-0x0000000006BD0000-0x0000000006BD1000-memory.dmp
    Filesize

    4KB

  • memory/1640-22-0x0000000006C50000-0x0000000006C51000-memory.dmp
    Filesize

    4KB

  • memory/2236-25-0x0000000000000000-mapping.dmp
  • memory/2484-1-0x0000000000C00000-0x0000000000C01000-memory.dmp
    Filesize

    4KB

  • memory/2484-0-0x0000000073D40000-0x000000007442E000-memory.dmp
    Filesize

    6.9MB

  • memory/3692-26-0x0000000000000000-mapping.dmp