Analysis
-
max time kernel
146s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-12-2020 15:19
Static task
static1
Behavioral task
behavioral1
Sample
Document for FEDEX clearance.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Document for FEDEX clearance.exe
Resource
win10v20201028
General
-
Target
Document for FEDEX clearance.exe
-
Size
933KB
-
MD5
e47bfff65206f25107f97232d1837eee
-
SHA1
ee1595672da926e1c5630ce961a22071a2f46179
-
SHA256
0771791b95c7869be68dc8225a8763158d758b73cd83869f55188cd0ec98cbac
-
SHA512
9fb9176ee7455e812e1c0a353574dae18d91c793c997423e680a04c33d1beac8a0fce08784fb7d29e1ed50c268de015196f82e5f2e7344df375e0aef53be9ae9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.lokalboyz.com - Port:
587 - Username:
oc@lokalboyz.com - Password:
Gllm9vjy
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1424-2-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/1424-3-0x00000000004373EE-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Document for FEDEX clearance.exedescription pid process target process PID 648 set thread context of 1424 648 Document for FEDEX clearance.exe Document for FEDEX clearance.exe -
Drops file in Windows directory 2 IoCs
Processes:
Document for FEDEX clearance.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new Document for FEDEX clearance.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new Document for FEDEX clearance.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Document for FEDEX clearance.exepid process 1424 Document for FEDEX clearance.exe 1424 Document for FEDEX clearance.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Document for FEDEX clearance.exedescription pid process Token: SeDebugPrivilege 1424 Document for FEDEX clearance.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Document for FEDEX clearance.exepid process 1424 Document for FEDEX clearance.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Document for FEDEX clearance.exedescription pid process target process PID 648 wrote to memory of 1424 648 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 648 wrote to memory of 1424 648 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 648 wrote to memory of 1424 648 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 648 wrote to memory of 1424 648 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 648 wrote to memory of 1424 648 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 648 wrote to memory of 1424 648 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 648 wrote to memory of 1424 648 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 648 wrote to memory of 1424 648 Document for FEDEX clearance.exe Document for FEDEX clearance.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document for FEDEX clearance.exe"C:\Users\Admin\AppData\Local\Temp\Document for FEDEX clearance.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Document for FEDEX clearance.exe"C:\Users\Admin\AppData\Local\Temp\Document for FEDEX clearance.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Document for FEDEX clearance.exe.logMD5
5e7bb97636a484b5a87e60373614279a
SHA136bfdec32eedb141a4a106d89a453326f62593ee
SHA25612ed6e1df2c57556c59dfd6630fd454a9df76166f340c41ee6bc54d98e709e20
SHA512448c62d538e646045d7315ff902b86f614e2dc1eb0959c22c6618fd2c8767c330d24692357559310e6b55b0c35415a14a6ab2d6d9b8d2a03186949b97190fd56
-
memory/1424-2-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1424-3-0x00000000004373EE-mapping.dmp