Analysis
-
max time kernel
124s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-01-2021 14:37
Static task
static1
Behavioral task
behavioral1
Sample
r9SWnqQlK8PFPEp.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
r9SWnqQlK8PFPEp.exe
Resource
win10v20201028
General
-
Target
r9SWnqQlK8PFPEp.exe
-
Size
927KB
-
MD5
ab19c9b71f6af37fd29fa44377fada56
-
SHA1
b91f5469e965d3cf9ef860ac39248ebdd1c16c3c
-
SHA256
817f8cd46ad17c8f466e99582e24cc335ff5be48d6f8fbc6d41dc466be8fbb35
-
SHA512
4d1ba2b85f159d0af88133f73be8af958432f91f5abd008b6979fe782e4e07c806509da2e7f2d0905ca52a46da8075e5ef795df0aca20cffbc418b96c3d81572
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cefortem.cat - Port:
587 - Username:
[email protected] - Password:
Vft284Rpyn
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3460-12-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3460-13-0x00000000004374DE-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
r9SWnqQlK8PFPEp.exedescription pid process target process PID 4708 set thread context of 3460 4708 r9SWnqQlK8PFPEp.exe r9SWnqQlK8PFPEp.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
r9SWnqQlK8PFPEp.exer9SWnqQlK8PFPEp.exepid process 4708 r9SWnqQlK8PFPEp.exe 3460 r9SWnqQlK8PFPEp.exe 3460 r9SWnqQlK8PFPEp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
r9SWnqQlK8PFPEp.exer9SWnqQlK8PFPEp.exedescription pid process Token: SeDebugPrivilege 4708 r9SWnqQlK8PFPEp.exe Token: SeDebugPrivilege 3460 r9SWnqQlK8PFPEp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
r9SWnqQlK8PFPEp.exepid process 3460 r9SWnqQlK8PFPEp.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
r9SWnqQlK8PFPEp.exedescription pid process target process PID 4708 wrote to memory of 3460 4708 r9SWnqQlK8PFPEp.exe r9SWnqQlK8PFPEp.exe PID 4708 wrote to memory of 3460 4708 r9SWnqQlK8PFPEp.exe r9SWnqQlK8PFPEp.exe PID 4708 wrote to memory of 3460 4708 r9SWnqQlK8PFPEp.exe r9SWnqQlK8PFPEp.exe PID 4708 wrote to memory of 3460 4708 r9SWnqQlK8PFPEp.exe r9SWnqQlK8PFPEp.exe PID 4708 wrote to memory of 3460 4708 r9SWnqQlK8PFPEp.exe r9SWnqQlK8PFPEp.exe PID 4708 wrote to memory of 3460 4708 r9SWnqQlK8PFPEp.exe r9SWnqQlK8PFPEp.exe PID 4708 wrote to memory of 3460 4708 r9SWnqQlK8PFPEp.exe r9SWnqQlK8PFPEp.exe PID 4708 wrote to memory of 3460 4708 r9SWnqQlK8PFPEp.exe r9SWnqQlK8PFPEp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\r9SWnqQlK8PFPEp.exe"C:\Users\Admin\AppData\Local\Temp\r9SWnqQlK8PFPEp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\r9SWnqQlK8PFPEp.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078