Analysis
-
max time kernel
294s -
max time network
294s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 10:28
Static task
static1
Behavioral task
behavioral1
Sample
Confirm Bank Details.exe
Resource
win10v20201028
General
-
Target
Confirm Bank Details.exe
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
premium84.web-hosting.com - Port:
587 - Username:
onyi@m3texsourcnig.com - Password:
cashmoney.123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4036-15-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/4036-16-0x00000000004374EE-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Confirm Bank Details.exedescription pid process target process PID 3324 set thread context of 4036 3324 Confirm Bank Details.exe Confirm Bank Details.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Confirm Bank Details.exeConfirm Bank Details.exepid process 3324 Confirm Bank Details.exe 3324 Confirm Bank Details.exe 3324 Confirm Bank Details.exe 3324 Confirm Bank Details.exe 3324 Confirm Bank Details.exe 3324 Confirm Bank Details.exe 3324 Confirm Bank Details.exe 3324 Confirm Bank Details.exe 3324 Confirm Bank Details.exe 3324 Confirm Bank Details.exe 4036 Confirm Bank Details.exe 4036 Confirm Bank Details.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Confirm Bank Details.exeConfirm Bank Details.exedescription pid process Token: SeDebugPrivilege 3324 Confirm Bank Details.exe Token: SeDebugPrivilege 4036 Confirm Bank Details.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Confirm Bank Details.exepid process 4036 Confirm Bank Details.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Confirm Bank Details.exedescription pid process target process PID 3324 wrote to memory of 940 3324 Confirm Bank Details.exe schtasks.exe PID 3324 wrote to memory of 940 3324 Confirm Bank Details.exe schtasks.exe PID 3324 wrote to memory of 940 3324 Confirm Bank Details.exe schtasks.exe PID 3324 wrote to memory of 4016 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 4016 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 4016 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 2744 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 2744 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 2744 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 2820 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 2820 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 2820 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 4036 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 4036 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 4036 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 4036 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 4036 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 4036 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 4036 3324 Confirm Bank Details.exe Confirm Bank Details.exe PID 3324 wrote to memory of 4036 3324 Confirm Bank Details.exe Confirm Bank Details.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Confirm Bank Details.exe"C:\Users\Admin\AppData\Local\Temp\Confirm Bank Details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSECbve" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1EC4.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Confirm Bank Details.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Confirm Bank Details.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Confirm Bank Details.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Confirm Bank Details.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Confirm Bank Details.exe.logMD5
b4f7a6a57cb46d94b72410eb6a6d45a9
SHA169f3596ffa027202d391444b769ceea0ae14c5f7
SHA25623994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b
SHA512be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c
-
C:\Users\Admin\AppData\Local\Temp\tmp1EC4.tmpMD5
fc93b5598bfe51b6fab30f6965a9e937
SHA12227f24ce85044c5e4dd8db6c5599055d20ba6c9
SHA2566d82c6aba0cf905509b5f5bd66a819e037438f08b22495050876120434fa1d72
SHA512ce0fa5526fa13cad37a9825399ecb2c901a962f3e62513199aff270eed9814920be948d9cd68f385b9c890be8b97632504b3ebc36e5c9cff66093a653d5ab18e
-
memory/940-13-0x0000000000000000-mapping.dmp
-
memory/3324-11-0x0000000005BC0000-0x0000000005C15000-memory.dmpFilesize
340KB
-
memory/3324-6-0x000000000B7D0000-0x000000000B7D1000-memory.dmpFilesize
4KB
-
memory/3324-8-0x0000000005BB0000-0x0000000005BB1000-memory.dmpFilesize
4KB
-
memory/3324-9-0x00000000059E0000-0x00000000059E1000-memory.dmpFilesize
4KB
-
memory/3324-10-0x0000000005BA0000-0x0000000005BAE000-memory.dmpFilesize
56KB
-
memory/3324-2-0x0000000073900000-0x0000000073FEE000-memory.dmpFilesize
6.9MB
-
memory/3324-12-0x0000000005CE0000-0x0000000005CE1000-memory.dmpFilesize
4KB
-
memory/3324-7-0x000000000B370000-0x000000000B371000-memory.dmpFilesize
4KB
-
memory/3324-5-0x0000000007F40000-0x0000000007FCC000-memory.dmpFilesize
560KB
-
memory/3324-3-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/4036-16-0x00000000004374EE-mapping.dmp
-
memory/4036-15-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4036-18-0x0000000073900000-0x0000000073FEE000-memory.dmpFilesize
6.9MB
-
memory/4036-23-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/4036-24-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/4036-25-0x0000000005FD0000-0x0000000005FD1000-memory.dmpFilesize
4KB