Analysis
-
max time kernel
104s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-01-2021 10:13
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe
-
Size
66KB
-
MD5
d6e27ca5fda89dad7196cf7221682383
-
SHA1
98f18f3e3dce449b095c9d12bd7086875d75a6a3
-
SHA256
8d299c63fc884940002e9858925dc405621d1d57637d956944d224bb0e97371f
-
SHA512
899c0d9d32bfab89f6385194d6932adf68d41d50a51fef0ad45625aa4890fd16f7039a095d83c2f3dc94abec92be863f01150c4ee8d1af398872461c14c8b5bc
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
frostdell.uk - Port:
587 - Username:
pinterlog@frostdell.uk - Password:
7213575aceACE@#$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/776-6-0x0000000000600000-0x000000000065C000-memory.dmp family_agenttesla behavioral1/memory/1532-7-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1532-8-0x000000000043764E-mapping.dmp family_agenttesla behavioral1/memory/1532-15-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/368-13-0x000000000043764E-mapping.dmp family_agenttesla behavioral1/memory/732-18-0x000000000043764E-mapping.dmp family_agenttesla behavioral1/memory/1340-23-0x000000000043764E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs
Processes:
SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exepid process 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exedescription pid process target process PID 776 set thread context of 1532 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 set thread context of 324 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 set thread context of 368 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 set thread context of 732 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 set thread context of 1340 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exeSecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exeSecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exepid process 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 368 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 368 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 1532 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe 1532 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exeSecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exeSecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exedescription pid process Token: SeDebugPrivilege 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe Token: SeDebugPrivilege 368 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe Token: SeDebugPrivilege 1532 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exepid process 368 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exedescription pid process target process PID 776 wrote to memory of 1532 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1532 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1532 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1532 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1532 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1532 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1532 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1532 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1532 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 324 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 324 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 324 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 324 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 324 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 368 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 368 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 368 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 368 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 368 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 368 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 368 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 368 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 368 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 732 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 732 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 732 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 732 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 732 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 732 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 732 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 732 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 732 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1340 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1340 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1340 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1340 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1340 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1340 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1340 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1340 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe PID 776 wrote to memory of 1340 776 SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.16229.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/324-11-0x000000000043764E-mapping.dmp
-
memory/368-30-0x0000000004931000-0x0000000004932000-memory.dmpFilesize
4KB
-
memory/368-27-0x0000000004930000-0x0000000004931000-memory.dmpFilesize
4KB
-
memory/368-14-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/368-13-0x000000000043764E-mapping.dmp
-
memory/732-20-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/732-18-0x000000000043764E-mapping.dmp
-
memory/776-2-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/776-3-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/776-5-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/776-6-0x0000000000600000-0x000000000065C000-memory.dmpFilesize
368KB
-
memory/776-25-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1340-23-0x000000000043764E-mapping.dmp
-
memory/1340-24-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/1532-15-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1532-10-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/1532-26-0x00000000048E0000-0x00000000048E1000-memory.dmpFilesize
4KB
-
memory/1532-8-0x000000000043764E-mapping.dmp
-
memory/1532-7-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB