OCXQZK3KWmWNdRx.exe

General
Target

OCXQZK3KWmWNdRx.exe

Filesize

803KB

Completed

22-01-2021 10:20

Score
10 /10
MD5

c6286c765c37478223b99c6ab0dc96f5

SHA1

eb043c7435526162e7e3a85005421fba3c1f3618

SHA256

8392af9cff73aab10a60befd359d4ca2638d6a936071285579147303bb453497

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.flood-protection.org

Port: 587

Username: uchedon@flood-protection.org

Password: uchedon2424@

Signatures 9

Filter: none

Collection
Credential Access
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2008-13-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral2/memory/2008-14-0x00000000004374DE-mapping.dmpfamily_agenttesla
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of SetThreadContext
    OCXQZK3KWmWNdRx.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 636 set thread context of 2008636OCXQZK3KWmWNdRx.exeOCXQZK3KWmWNdRx.exe
  • Suspicious behavior: EnumeratesProcesses
    OCXQZK3KWmWNdRx.exe

    Reported IOCs

    pidprocess
    2008OCXQZK3KWmWNdRx.exe
    2008OCXQZK3KWmWNdRx.exe
  • Suspicious use of AdjustPrivilegeToken
    OCXQZK3KWmWNdRx.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2008OCXQZK3KWmWNdRx.exe
  • Suspicious use of WriteProcessMemory
    OCXQZK3KWmWNdRx.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 636 wrote to memory of 2008636OCXQZK3KWmWNdRx.exeOCXQZK3KWmWNdRx.exe
    PID 636 wrote to memory of 2008636OCXQZK3KWmWNdRx.exeOCXQZK3KWmWNdRx.exe
    PID 636 wrote to memory of 2008636OCXQZK3KWmWNdRx.exeOCXQZK3KWmWNdRx.exe
    PID 636 wrote to memory of 2008636OCXQZK3KWmWNdRx.exeOCXQZK3KWmWNdRx.exe
    PID 636 wrote to memory of 2008636OCXQZK3KWmWNdRx.exeOCXQZK3KWmWNdRx.exe
    PID 636 wrote to memory of 2008636OCXQZK3KWmWNdRx.exeOCXQZK3KWmWNdRx.exe
    PID 636 wrote to memory of 2008636OCXQZK3KWmWNdRx.exeOCXQZK3KWmWNdRx.exe
    PID 636 wrote to memory of 2008636OCXQZK3KWmWNdRx.exeOCXQZK3KWmWNdRx.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\OCXQZK3KWmWNdRx.exe
    "C:\Users\Admin\AppData\Local\Temp\OCXQZK3KWmWNdRx.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:636
    • C:\Users\Admin\AppData\Local\Temp\OCXQZK3KWmWNdRx.exe
      "C:\Users\Admin\AppData\Local\Temp\OCXQZK3KWmWNdRx.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OCXQZK3KWmWNdRx.exe.log

                        MD5

                        90acfd72f14a512712b1a7380c0faf60

                        SHA1

                        40ba4accb8faa75887e84fb8e38d598dc8cf0f12

                        SHA256

                        20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

                        SHA512

                        29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

                      • memory/636-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

                      • memory/636-5-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

                      • memory/636-6-0x0000000005170000-0x0000000005171000-memory.dmp

                      • memory/636-7-0x0000000004D10000-0x0000000004D11000-memory.dmp

                      • memory/636-8-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

                      • memory/636-9-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

                      • memory/636-10-0x0000000004E70000-0x0000000004E71000-memory.dmp

                      • memory/636-11-0x0000000004ED0000-0x0000000004EF3000-memory.dmp

                      • memory/636-12-0x0000000005AD0000-0x0000000005B47000-memory.dmp

                      • memory/636-2-0x0000000073190000-0x000000007387E000-memory.dmp

                      • memory/2008-14-0x00000000004374DE-mapping.dmp

                      • memory/2008-13-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/2008-16-0x0000000073190000-0x000000007387E000-memory.dmp

                      • memory/2008-21-0x0000000005920000-0x0000000005921000-memory.dmp

                      • memory/2008-22-0x0000000005C70000-0x0000000005C71000-memory.dmp

                      • memory/2008-23-0x0000000006560000-0x0000000006561000-memory.dmp

                      • memory/2008-26-0x0000000005921000-0x0000000005922000-memory.dmp