Analysis
-
max time kernel
148s -
max time network
74s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-12-2020 06:40
Static task
static1
Behavioral task
behavioral1
Sample
New order. December.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
New order. December.exe
Resource
win10v20201028
General
-
Target
New order. December.exe
-
Size
971KB
-
MD5
42289a23f33d793b5213979021fe021f
-
SHA1
387ba991a7fbc49d8b5371bb410abac55dd82b2d
-
SHA256
824d9e9082e27b16c7bff8e0c02321c69abde54bcbc160a17f68ad4eba21170f
-
SHA512
3ee8761c8f07856f3daaa31b141450ddf28ee00a73053e6767a6ec28448b942364138e9ca02dcbd582e4c7fa29ad7f83a2dd29e4eb47cb049f24da77d9621a36
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.lokalboyz.com - Port:
587 - Username:
[email protected] - Password:
Gllm9vjy
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/208-2-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/208-3-0x00000000004373EE-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
New order. December.exedescription pid process target process PID 648 set thread context of 208 648 New order. December.exe New order. December.exe -
Drops file in Windows directory 2 IoCs
Processes:
New order. December.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new New order. December.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new New order. December.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
New order. December.exepid process 208 New order. December.exe 208 New order. December.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
New order. December.exedescription pid process Token: SeDebugPrivilege 208 New order. December.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
New order. December.exepid process 208 New order. December.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
New order. December.exedescription pid process target process PID 648 wrote to memory of 208 648 New order. December.exe New order. December.exe PID 648 wrote to memory of 208 648 New order. December.exe New order. December.exe PID 648 wrote to memory of 208 648 New order. December.exe New order. December.exe PID 648 wrote to memory of 208 648 New order. December.exe New order. December.exe PID 648 wrote to memory of 208 648 New order. December.exe New order. December.exe PID 648 wrote to memory of 208 648 New order. December.exe New order. December.exe PID 648 wrote to memory of 208 648 New order. December.exe New order. December.exe PID 648 wrote to memory of 208 648 New order. December.exe New order. December.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New order. December.exe"C:\Users\Admin\AppData\Local\Temp\New order. December.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\AppData\Local\Temp\New order. December.exe"C:\Users\Admin\AppData\Local\Temp\New order. December.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\New order. December.exe.logMD5
6e9fb31f46c15c53382e10248934b0ed
SHA11e6f84785ee2dc1db1eb8936f0b606925d89df53
SHA256b0502817048b7a6a45331554ed3309978442cd4d328ec8b48c2724e554b1088a
SHA512ccddc09e96f894e4fa048e1497d904cdfe41187eef047d5359c74c6c944578d70bcb9284b14341f3ff9d8a59463e473cc24b2ff0efd0e50f81ba7d0b9e22a9da
-
memory/208-2-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/208-3-0x00000000004373EE-mapping.dmp