Overview

overview

10

Static

static

Quotation order.exe

windows7_x64

10

Quotation order.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-12-2020 15:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation order.exe

  • Size

    9.7MB

  • MD5

    fec94c3fe9cead7cbe7a1d627eedd841

  • SHA1

    edbf4df6ea9509e000e3c964be99374e94545a3a

  • SHA256

    aca79c29fda3bfb7e34038dc5a9a31d05ed1aba543328367478ef21540555da7

  • SHA512

    3a5ffccf84f27ebc5cad4415a561d4678fc9e28c4c08e58d9d87e1f216d080ced1e06230e607e3efa8d1ded5b7a8ad6d0d7942a54c1d82387d7782e40b46377c

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    astonecargosafety@gmail.com
  • Password:
    Best242Best

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • AgentTesla Payload 2 IoCs
  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation order.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation order.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Users\Admin\AppData\Local\Temp\Quotation order.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation order.exe"
      2⤵
        PID:3100
      • C:\Users\Admin\AppData\Local\Temp\Quotation order.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation order.exe"
        2⤵
          PID:3572
        • C:\Users\Admin\AppData\Local\Temp\Quotation order.exe
          "C:\Users\Admin\AppData\Local\Temp\Quotation order.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2532

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials in Files

      3
      T1081

      Discovery

      Lateral Movement

      Collection

      Data from Local System

      3
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation order.exe.log
        MD5

        c0ad7b531cb050d170ceb51110be64db

        SHA1

        1fc4ff77fe0838a1fec8723139c25d5708ed8c0b

        SHA256

        2212589a88f2f3fa5c7127e548ea493b3ab2927e2417b54928ec82e3a42a424c

        SHA512

        148ecaa1ee3259ab2ec63abb28af5daad10534bd48e9afec2984d343c8f9c361f8caed04b32bb0de85d41e3329935e6d100d5036e33bc8fadcda1f7dd1bde436

        Download Submit
      • memory/508-2-0x0000000073360000-0x0000000073A4E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/508-3-0x0000000000C70000-0x0000000000C71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/508-5-0x0000000005E10000-0x0000000005E11000-memory.dmp
        Filesize

        4KB

        Download
      • memory/508-6-0x0000000005EB0000-0x0000000005FB8000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/508-7-0x00000000064F0000-0x00000000064F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2532-9-0x00000000004374DE-mapping.dmp
        Download
      • memory/2532-8-0x0000000000400000-0x000000000043C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2532-11-0x0000000073360000-0x0000000073A4E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2532-16-0x00000000060E0000-0x00000000060E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2532-17-0x00000000068A0000-0x00000000068A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2532-18-0x0000000006F70000-0x0000000006F71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2532-19-0x00000000019E0000-0x00000000019E1000-memory.dmp
        Filesize

        4KB

        Download