Vr.rar

General
Target

0x000300000001ac9f-141.exe

Filesize

19KB

Completed

25-11-2020 10:47

Score
10 /10
MD5

5898d001eedb60a637f9334965e241a9

SHA1

59d543084a8230ac387dee45b027c47282256d02

SHA256

08eb269d6c3bfaf4d3cde53a987e0adc96a171235d3c34e3c6e9422920e793dd

Malware Config
Signatures 12

Filter: none

Collection
Credential Access
Discovery
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral28/memory/1640-10-0x0000000000EC0000-0x0000000000EE4000-memory.dmpagent_tesla
    behavioral28/memory/1640-12-0x00000000028E0000-0x0000000002902000-memory.dmpagent_tesla
  • Executes dropped EXE
    chrome.exechrome.exe

    Reported IOCs

    pidprocess
    2976chrome.exe
    1640chrome.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    24checkip.amazonaws.com
  • Suspicious use of SetThreadContext
    0x000300000001ac9f-141.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2484 set thread context of 164024840x000300000001ac9f-141.exechrome.exe
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    3692PING.EXE
  • Suspicious behavior: EnumeratesProcesses
    0x000300000001ac9f-141.exechrome.exe

    Reported IOCs

    pidprocess
    24840x000300000001ac9f-141.exe
    24840x000300000001ac9f-141.exe
    1640chrome.exe
  • Suspicious use of AdjustPrivilegeToken
    0x000300000001ac9f-141.exechrome.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege24840x000300000001ac9f-141.exe
    Token: SeDebugPrivilege1640chrome.exe
  • Suspicious use of WriteProcessMemory
    0x000300000001ac9f-141.exechrome.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2484 wrote to memory of 297624840x000300000001ac9f-141.exechrome.exe
    PID 2484 wrote to memory of 297624840x000300000001ac9f-141.exechrome.exe
    PID 2484 wrote to memory of 297624840x000300000001ac9f-141.exechrome.exe
    PID 2484 wrote to memory of 164024840x000300000001ac9f-141.exechrome.exe
    PID 2484 wrote to memory of 164024840x000300000001ac9f-141.exechrome.exe
    PID 2484 wrote to memory of 164024840x000300000001ac9f-141.exechrome.exe
    PID 2484 wrote to memory of 164024840x000300000001ac9f-141.exechrome.exe
    PID 2484 wrote to memory of 164024840x000300000001ac9f-141.exechrome.exe
    PID 2484 wrote to memory of 164024840x000300000001ac9f-141.exechrome.exe
    PID 2484 wrote to memory of 164024840x000300000001ac9f-141.exechrome.exe
    PID 2484 wrote to memory of 164024840x000300000001ac9f-141.exechrome.exe
    PID 2484 wrote to memory of 164024840x000300000001ac9f-141.exechrome.exe
    PID 1640 wrote to memory of 22361640chrome.execmd.exe
    PID 1640 wrote to memory of 22361640chrome.execmd.exe
    PID 1640 wrote to memory of 22361640chrome.execmd.exe
    PID 2236 wrote to memory of 36922236cmd.exePING.EXE
    PID 2236 wrote to memory of 36922236cmd.exePING.EXE
    PID 2236 wrote to memory of 36922236cmd.exePING.EXE
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9f-141.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9f-141.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe
      "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe"
      Executes dropped EXE
      PID:2976
    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe
      "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe"
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""
        Suspicious use of WriteProcessMemory
        PID:2236
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          Runs ping.exe
          PID:3692
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe

                      MD5

                      6a673bfc3b67ae9782cb31af2f234c68

                      SHA1

                      7544e89566d91e84e3cd437b9a073e5f6b56566e

                      SHA256

                      978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

                      SHA512

                      72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe

                      MD5

                      6a673bfc3b67ae9782cb31af2f234c68

                      SHA1

                      7544e89566d91e84e3cd437b9a073e5f6b56566e

                      SHA256

                      978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

                      SHA512

                      72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

                    • memory/1640-24-0x00000000083E0000-0x00000000083E1000-memory.dmp

                    • memory/1640-4-0x0000000000400000-0x0000000000435000-memory.dmp

                    • memory/1640-5-0x000000000040CD2F-mapping.dmp

                    • memory/1640-22-0x0000000006C50000-0x0000000006C51000-memory.dmp

                    • memory/1640-7-0x0000000000400000-0x0000000000435000-memory.dmp

                    • memory/1640-8-0x0000000002940000-0x0000000002941000-memory.dmp

                    • memory/1640-9-0x0000000073D40000-0x000000007442E000-memory.dmp

                    • memory/1640-10-0x0000000000EC0000-0x0000000000EE4000-memory.dmp

                    • memory/1640-11-0x0000000005610000-0x0000000005611000-memory.dmp

                    • memory/1640-12-0x00000000028E0000-0x0000000002902000-memory.dmp

                    • memory/1640-13-0x0000000006120000-0x0000000006121000-memory.dmp

                    • memory/1640-14-0x0000000005020000-0x0000000005021000-memory.dmp

                    • memory/1640-15-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

                    • memory/1640-16-0x0000000005070000-0x0000000005071000-memory.dmp

                    • memory/1640-17-0x0000000005310000-0x0000000005311000-memory.dmp

                    • memory/1640-18-0x0000000006A00000-0x0000000006A01000-memory.dmp

                    • memory/1640-19-0x0000000007100000-0x0000000007101000-memory.dmp

                    • memory/1640-20-0x0000000006910000-0x0000000006911000-memory.dmp

                    • memory/1640-21-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

                    • memory/1640-23-0x0000000006F20000-0x0000000006F21000-memory.dmp

                    • memory/2236-25-0x0000000000000000-mapping.dmp

                    • memory/2484-0-0x0000000073D40000-0x000000007442E000-memory.dmp

                    • memory/2484-1-0x0000000000C00000-0x0000000000C01000-memory.dmp

                    • memory/3692-26-0x0000000000000000-mapping.dmp