Analysis
-
max time kernel
107s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-12-2020 06:40
Static task
static1
Behavioral task
behavioral1
Sample
New order. December.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
New order. December.exe
Resource
win10v20201028
General
-
Target
New order. December.exe
-
Size
971KB
-
MD5
42289a23f33d793b5213979021fe021f
-
SHA1
387ba991a7fbc49d8b5371bb410abac55dd82b2d
-
SHA256
824d9e9082e27b16c7bff8e0c02321c69abde54bcbc160a17f68ad4eba21170f
-
SHA512
3ee8761c8f07856f3daaa31b141450ddf28ee00a73053e6767a6ec28448b942364138e9ca02dcbd582e4c7fa29ad7f83a2dd29e4eb47cb049f24da77d9621a36
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.lokalboyz.com - Port:
587 - Username:
[email protected] - Password:
Gllm9vjy
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1612-4-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1612-5-0x00000000004373EE-mapping.dmp family_agenttesla behavioral1/memory/1612-6-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1612-7-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New order. December.exedescription pid process target process PID 748 set thread context of 1612 748 New order. December.exe New order. December.exe -
Drops file in Windows directory 1 IoCs
Processes:
New order. December.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new New order. December.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
New order. December.exepid process 1612 New order. December.exe 1612 New order. December.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
New order. December.exedescription pid process Token: SeDebugPrivilege 1612 New order. December.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
New order. December.exepid process 1612 New order. December.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
New order. December.exedescription pid process target process PID 748 wrote to memory of 1612 748 New order. December.exe New order. December.exe PID 748 wrote to memory of 1612 748 New order. December.exe New order. December.exe PID 748 wrote to memory of 1612 748 New order. December.exe New order. December.exe PID 748 wrote to memory of 1612 748 New order. December.exe New order. December.exe PID 748 wrote to memory of 1612 748 New order. December.exe New order. December.exe PID 748 wrote to memory of 1612 748 New order. December.exe New order. December.exe PID 748 wrote to memory of 1612 748 New order. December.exe New order. December.exe PID 748 wrote to memory of 1612 748 New order. December.exe New order. December.exe PID 748 wrote to memory of 1612 748 New order. December.exe New order. December.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New order. December.exe"C:\Users\Admin\AppData\Local\Temp\New order. December.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Local\Temp\New order. December.exe"C:\Users\Admin\AppData\Local\Temp\New order. December.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1612
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cchMD5
4fb607c4a561123249ee58454fbe84e2
SHA1f7c662c932898baaeda898684b4a3005a50ff276
SHA256187df610c0e5b9839894cd01c776c20e6cedc04f4aa2f8718bbb5513bb357f0c
SHA512987eb0c4e212360e4706f605e78328a848c21b11e1c5e252a90aa77985a1b58c876a815ea4837e6dc14b4b99b0b9a0abc32aa8e464984b07c8c31dc9990785c1
-
memory/1612-4-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1612-5-0x00000000004373EE-mapping.dmp
-
memory/1612-6-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1612-7-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB