Analysis
-
max time kernel
134s -
max time network
97s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 20:17
Static task
static1
Behavioral task
behavioral1
Sample
30714756.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
30714756.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
30714756.exe
-
Size
617KB
-
MD5
c1279eb7ba4c37f73765233d8ce917d5
-
SHA1
2e9978ed7bd20a8b8890f9d236317f0e6dfab11f
-
SHA256
1d12e0ea21ddb6f39d309e836c5f8e2c3fcfd4c167b20185ca3723233230bb8b
-
SHA512
5be8c1dac94b8c7f8cd183f57c82b66149fbe3a06d75745f9ccc5de77233ff45c363fbd7520f726c688e477e08f418271fb3e9e3039ff6b9ced1ec7b863646d6
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
chynaman@vivaldi.net - Password:
pmoneyboy994
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1576-7-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1576-8-0x00000000004373EE-mapping.dmp family_agenttesla behavioral1/memory/1576-9-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1576-10-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
30714756.exedescription pid process target process PID 1472 set thread context of 1576 1472 30714756.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1576 RegSvcs.exe 1576 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1576 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
30714756.exedescription pid process target process PID 1472 wrote to memory of 1576 1472 30714756.exe RegSvcs.exe PID 1472 wrote to memory of 1576 1472 30714756.exe RegSvcs.exe PID 1472 wrote to memory of 1576 1472 30714756.exe RegSvcs.exe PID 1472 wrote to memory of 1576 1472 30714756.exe RegSvcs.exe PID 1472 wrote to memory of 1576 1472 30714756.exe RegSvcs.exe PID 1472 wrote to memory of 1576 1472 30714756.exe RegSvcs.exe PID 1472 wrote to memory of 1576 1472 30714756.exe RegSvcs.exe PID 1472 wrote to memory of 1576 1472 30714756.exe RegSvcs.exe PID 1472 wrote to memory of 1576 1472 30714756.exe RegSvcs.exe PID 1472 wrote to memory of 1576 1472 30714756.exe RegSvcs.exe PID 1472 wrote to memory of 1576 1472 30714756.exe RegSvcs.exe PID 1472 wrote to memory of 1576 1472 30714756.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30714756.exe"C:\Users\Admin\AppData\Local\Temp\30714756.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1472-2-0x0000000074480000-0x0000000074B6E000-memory.dmpFilesize
6.9MB
-
memory/1472-3-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1472-5-0x00000000003C0000-0x00000000003CE000-memory.dmpFilesize
56KB
-
memory/1472-6-0x0000000005360000-0x00000000053EB000-memory.dmpFilesize
556KB
-
memory/1576-7-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1576-8-0x00000000004373EE-mapping.dmp
-
memory/1576-9-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1576-10-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1576-11-0x0000000074480000-0x0000000074B6E000-memory.dmpFilesize
6.9MB