Analysis
-
max time kernel
150s -
max time network
91s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-01-2021 20:45
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
file.exe
-
Size
760KB
-
MD5
c6d1125563f610850f5feb7bb4f04b05
-
SHA1
4854463499dcba55c6154e90ec74d3c8692760d9
-
SHA256
9ada932ad6919b4f21da2eb872e9af9ab1da22a818a13c57ae65b8679c6c7be1
-
SHA512
654ebe45eddfc5b34a65abe82745aef4c9a3bb9084ee8099640ccca96e2dd061421bd7beeb3569c6c6e08fa604174361660df41e6c9f5895b938de1c08b4ee17
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
barclays247.com - Port:
587 - Username:
tombag@barclays247.com - Password:
Du_&#[]2y&k*
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/516-8-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/516-9-0x000000000043764E-mapping.dmp family_agenttesla behavioral1/memory/516-11-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1368 set thread context of 516 1368 file.exe file.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
file.exepid process 516 file.exe 516 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
file.exedescription pid process Token: SeDebugPrivilege 516 file.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 1368 wrote to memory of 516 1368 file.exe file.exe PID 1368 wrote to memory of 516 1368 file.exe file.exe PID 1368 wrote to memory of 516 1368 file.exe file.exe PID 1368 wrote to memory of 516 1368 file.exe file.exe PID 1368 wrote to memory of 516 1368 file.exe file.exe PID 1368 wrote to memory of 516 1368 file.exe file.exe PID 1368 wrote to memory of 516 1368 file.exe file.exe PID 1368 wrote to memory of 516 1368 file.exe file.exe PID 1368 wrote to memory of 516 1368 file.exe file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/516-8-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/516-9-0x000000000043764E-mapping.dmp
-
memory/516-10-0x0000000074710000-0x0000000074DFE000-memory.dmpFilesize
6.9MB
-
memory/516-11-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/516-13-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/1368-2-0x0000000074710000-0x0000000074DFE000-memory.dmpFilesize
6.9MB
-
memory/1368-3-0x00000000009A0000-0x00000000009A1000-memory.dmpFilesize
4KB
-
memory/1368-5-0x0000000000850000-0x0000000000873000-memory.dmpFilesize
140KB
-
memory/1368-6-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/1368-7-0x0000000004B60000-0x0000000004BCF000-memory.dmpFilesize
444KB