Analysis
-
max time kernel
150s -
max time network
108s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-12-2020 11:47
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
-
Size
828KB
-
MD5
2bdefd73dd2bb3c79fb31f58b979c497
-
SHA1
3df7f884fcaf945946443a451ddd5e8170dc6ca7
-
SHA256
68b03caba912a93057cc47618982c7c33ec41ccc1ab853b2e0d7483a383df603
-
SHA512
f8097b3ec587abb29f8eb0df75cc70e9ebf7e5a997827571dceeadc1fd63bf58a56a22717877cfd4625035d9be036ee4b61def76d6cf2c4080cd10e4b15fa335
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.soin3.com - Port:
587 - Username:
mojo@soin3.com - Password:
icui4cu2@@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1008-3-0x000000000043722E-mapping.dmp family_agenttesla behavioral2/memory/1008-2-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exedescription pid process target process PID 1404 set thread context of 1008 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe -
Drops file in Windows directory 2 IoCs
Processes:
SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exeSecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exepid process 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe 1008 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe 1008 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exeSecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exedescription pid process Token: SeDebugPrivilege 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe Token: SeDebugPrivilege 1008 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exedescription pid process target process PID 1404 wrote to memory of 740 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe PID 1404 wrote to memory of 740 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe PID 1404 wrote to memory of 740 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe PID 1404 wrote to memory of 476 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe PID 1404 wrote to memory of 476 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe PID 1404 wrote to memory of 476 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe PID 1404 wrote to memory of 1008 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe PID 1404 wrote to memory of 1008 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe PID 1404 wrote to memory of 1008 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe PID 1404 wrote to memory of 1008 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe PID 1404 wrote to memory of 1008 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe PID 1404 wrote to memory of 1008 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe PID 1404 wrote to memory of 1008 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe PID 1404 wrote to memory of 1008 1404 SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe.logMD5
913522c9c0f65d51268d96a1af18324c
SHA11d42b9400d8aac6c8de76064698dd9c1115a6cb8
SHA2569ec1f0458ee4d86a7d01354f7dcb2b699b5a002a8555348b725ae3561e22a280
SHA512fe5201e887cdc1e1125e54cd92587fe0d1f5665f93e302c7be0eb33abd2310a3f944f44b80129861258be49925cbaf3d26111d7eaa146e18593cc6ed4df77ea2
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cchMD5
79c15d1391af2809d3bb83868605f254
SHA18ba6eb4bb387b7c400b219845650150ed3142c02
SHA256208ff33fafd315395496e02f1e5c91bd87e60752d93351246233f6db5a65e17a
SHA512c1a6d4e2efbba8c9f6e9de81d790676475e8a4b6fb7e368d5034c987832b7741be3c40c48977e7c6bb10d4d4e6b4a1e4c843333ac2ecaca5f480544da3bae976
-
memory/1008-3-0x000000000043722E-mapping.dmp
-
memory/1008-2-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB