Analysis
-
max time kernel
125s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 20:17
Static task
static1
Behavioral task
behavioral1
Sample
30714756.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
30714756.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
30714756.exe
-
Size
617KB
-
MD5
c1279eb7ba4c37f73765233d8ce917d5
-
SHA1
2e9978ed7bd20a8b8890f9d236317f0e6dfab11f
-
SHA256
1d12e0ea21ddb6f39d309e836c5f8e2c3fcfd4c167b20185ca3723233230bb8b
-
SHA512
5be8c1dac94b8c7f8cd183f57c82b66149fbe3a06d75745f9ccc5de77233ff45c363fbd7520f726c688e477e08f418271fb3e9e3039ff6b9ced1ec7b863646d6
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
chynaman@vivaldi.net - Password:
pmoneyboy994
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3868-11-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3868-12-0x00000000004373EE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
30714756.exedescription pid process target process PID 8 set thread context of 3868 8 30714756.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
30714756.exeRegSvcs.exepid process 8 30714756.exe 8 30714756.exe 8 30714756.exe 3868 RegSvcs.exe 3868 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
30714756.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 8 30714756.exe Token: SeDebugPrivilege 3868 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
30714756.exedescription pid process target process PID 8 wrote to memory of 2812 8 30714756.exe RegSvcs.exe PID 8 wrote to memory of 2812 8 30714756.exe RegSvcs.exe PID 8 wrote to memory of 2812 8 30714756.exe RegSvcs.exe PID 8 wrote to memory of 3868 8 30714756.exe RegSvcs.exe PID 8 wrote to memory of 3868 8 30714756.exe RegSvcs.exe PID 8 wrote to memory of 3868 8 30714756.exe RegSvcs.exe PID 8 wrote to memory of 3868 8 30714756.exe RegSvcs.exe PID 8 wrote to memory of 3868 8 30714756.exe RegSvcs.exe PID 8 wrote to memory of 3868 8 30714756.exe RegSvcs.exe PID 8 wrote to memory of 3868 8 30714756.exe RegSvcs.exe PID 8 wrote to memory of 3868 8 30714756.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30714756.exe"C:\Users\Admin\AppData\Local\Temp\30714756.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/8-2-0x0000000073940000-0x000000007402E000-memory.dmpFilesize
6.9MB
-
memory/8-3-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/8-5-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/8-6-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/8-7-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/8-8-0x0000000004A10000-0x0000000004A1E000-memory.dmpFilesize
56KB
-
memory/8-9-0x00000000056C0000-0x000000000574B000-memory.dmpFilesize
556KB
-
memory/8-10-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/3868-11-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3868-12-0x00000000004373EE-mapping.dmp
-
memory/3868-13-0x0000000073940000-0x000000007402E000-memory.dmpFilesize
6.9MB
-
memory/3868-18-0x0000000005920000-0x0000000005921000-memory.dmpFilesize
4KB
-
memory/3868-19-0x00000000064B0000-0x00000000064B1000-memory.dmpFilesize
4KB