Analysis
-
max time kernel
149s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 20:13
Static task
static1
Behavioral task
behavioral1
Sample
Request For Quotation_pdf.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Request For Quotation_pdf.scr
Resource
win10v20201028
General
-
Target
Request For Quotation_pdf.scr
-
Size
1.2MB
-
MD5
a9125d57b0d4162e7da34d6b8c10836f
-
SHA1
56bcb534abe3e5111b07b4f502b647fb5584b905
-
SHA256
4f84f23b927e4a2f6f64d0c824777c1e0edb05f8f83a662ef59617793582cfb6
-
SHA512
430731a8792d27fac18be517bb200a514cc8b7d72e90d0bdfcd630ba85600c46633f13b3499eea0993573122c07dd5015fc2318b7e13dbed9495222822d6930d
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
diamondraylog@yandex.ru - Password:
tonyelo000@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1680-9-0x00000000048A0000-0x00000000048D7000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Request For Quotation_pdf.scrpid process 1680 Request For Quotation_pdf.scr 1680 Request For Quotation_pdf.scr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Request For Quotation_pdf.scrdescription pid process Token: SeDebugPrivilege 1680 Request For Quotation_pdf.scr -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Request For Quotation_pdf.scrdescription pid process target process PID 1680 wrote to memory of 1092 1680 Request For Quotation_pdf.scr schtasks.exe PID 1680 wrote to memory of 1092 1680 Request For Quotation_pdf.scr schtasks.exe PID 1680 wrote to memory of 1092 1680 Request For Quotation_pdf.scr schtasks.exe PID 1680 wrote to memory of 1092 1680 Request For Quotation_pdf.scr schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request For Quotation_pdf.scr"C:\Users\Admin\AppData\Local\Temp\Request For Quotation_pdf.scr" /S1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FLahHLuGzK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE8C9.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE8C9.tmpMD5
41648fae6461e11c94201094b4890f0e
SHA1a9512f47f8c53c5c7725dd991c87d42c57538105
SHA256bd7551579f40a9110ffef61fd6907e6fc1683e3b03a888cb0f79e3a37fc4ea0e
SHA51288835094183afc8e245516d97f82ec3b36ee367356d2d5068fa922fe40148c06f0b36b7918391df78381ccdeea809613e7d3b77ab7fa6390d40fdcebadda31c0
-
memory/1092-7-0x0000000000000000-mapping.dmp
-
memory/1680-2-0x00000000741A0000-0x000000007488E000-memory.dmpFilesize
6.9MB
-
memory/1680-3-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/1680-5-0x0000000000540000-0x0000000000552000-memory.dmpFilesize
72KB
-
memory/1680-6-0x00000000050E0000-0x0000000005154000-memory.dmpFilesize
464KB
-
memory/1680-9-0x00000000048A0000-0x00000000048D7000-memory.dmpFilesize
220KB