Analysis
-
max time kernel
150s -
max time network
91s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-01-2021 14:26
Static task
static1
Behavioral task
behavioral1
Sample
JUST1F1CANTE.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
JUST1F1CANTE.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
JUST1F1CANTE.exe
-
Size
696KB
-
MD5
495d57b02cc54aa1b0c3c907891671ad
-
SHA1
d467d32c1df44c406b362314f88c2e83b31cbf99
-
SHA256
49bc785cf04abebdb47fc3a0a15ea4d4185e19f83dcd1bda4e1d382a31e3742f
-
SHA512
52c442b48b0a2148f7f9752a64ef9beefad0a4c3bf689a14a20af16619ee6841eb934274da2294297cc54b72eb700d04bd6d9ec3f8d12f69fa7ffb631d40d8a7
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
iruz@fuel-energy.com - Password:
9p9aB43$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/788-5-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/788-6-0x00000000004374CE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
JUST1F1CANTE.exedescription pid process target process PID 2008 set thread context of 788 2008 JUST1F1CANTE.exe JUST1F1CANTE.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
JUST1F1CANTE.exepid process 788 JUST1F1CANTE.exe 788 JUST1F1CANTE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
JUST1F1CANTE.exedescription pid process Token: SeDebugPrivilege 788 JUST1F1CANTE.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
JUST1F1CANTE.exeJUST1F1CANTE.exedescription pid process target process PID 2008 wrote to memory of 788 2008 JUST1F1CANTE.exe JUST1F1CANTE.exe PID 2008 wrote to memory of 788 2008 JUST1F1CANTE.exe JUST1F1CANTE.exe PID 2008 wrote to memory of 788 2008 JUST1F1CANTE.exe JUST1F1CANTE.exe PID 2008 wrote to memory of 788 2008 JUST1F1CANTE.exe JUST1F1CANTE.exe PID 2008 wrote to memory of 788 2008 JUST1F1CANTE.exe JUST1F1CANTE.exe PID 2008 wrote to memory of 788 2008 JUST1F1CANTE.exe JUST1F1CANTE.exe PID 2008 wrote to memory of 788 2008 JUST1F1CANTE.exe JUST1F1CANTE.exe PID 2008 wrote to memory of 788 2008 JUST1F1CANTE.exe JUST1F1CANTE.exe PID 2008 wrote to memory of 788 2008 JUST1F1CANTE.exe JUST1F1CANTE.exe PID 788 wrote to memory of 412 788 JUST1F1CANTE.exe dw20.exe PID 788 wrote to memory of 412 788 JUST1F1CANTE.exe dw20.exe PID 788 wrote to memory of 412 788 JUST1F1CANTE.exe dw20.exe PID 788 wrote to memory of 412 788 JUST1F1CANTE.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JUST1F1CANTE.exe"C:\Users\Admin\AppData\Local\Temp\JUST1F1CANTE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JUST1F1CANTE.exe"C:\Users\Admin\AppData\Local\Temp\JUST1F1CANTE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5203⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/412-9-0x0000000000000000-mapping.dmp
-
memory/412-10-0x0000000001EE0000-0x0000000001EF1000-memory.dmpFilesize
68KB
-
memory/412-12-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/788-5-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/788-6-0x00000000004374CE-mapping.dmp
-
memory/788-8-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/2008-2-0x0000000075EA1000-0x0000000075EA3000-memory.dmpFilesize
8KB
-
memory/2008-3-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/2008-4-0x0000000000B51000-0x0000000000B52000-memory.dmpFilesize
4KB