Analysis
-
max time kernel
109s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-01-2021 19:09
Static task
static1
Behavioral task
behavioral1
Sample
1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe
Resource
win10v20201028
General
-
Target
1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe
-
Size
8KB
-
MD5
1d3cc5bc3a27de86fd97fe5b4b8b0b8e
-
SHA1
eaab6b4eb9c42e2572c292964f9f01a2017ac83d
-
SHA256
b893403d4de4bd767e6196f0b7a4fd6dfd0f18f854a3d3dfac40b9a6488cff17
-
SHA512
24938f3d2dec0fa20034ae390a62f224a763e6de5454b8ca79c7d60e8b48d9c58b9e04dc06ad988c4429d7b3bb14081836c0b2ae5900dff07d6e45caa86cc4b3
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
frostdell.uk - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3380-11-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3380-12-0x000000000043764E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exedescription pid process target process PID 1924 set thread context of 3380 1924 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exepid process 3380 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe 3380 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exedescription pid process Token: SeDebugPrivilege 1924 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe Token: SeDebugPrivilege 3380 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exepid process 3380 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exedescription pid process target process PID 1924 wrote to memory of 3380 1924 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe PID 1924 wrote to memory of 3380 1924 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe PID 1924 wrote to memory of 3380 1924 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe PID 1924 wrote to memory of 3380 1924 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe PID 1924 wrote to memory of 3380 1924 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe PID 1924 wrote to memory of 3380 1924 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe PID 1924 wrote to memory of 3380 1924 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe PID 1924 wrote to memory of 3380 1924 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe 1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe"C:\Users\Admin\AppData\Local\Temp\1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe"C:\Users\Admin\AppData\Local\Temp\1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1d3cc5bc3a27de86fd97fe5b4b8b0b8e.exe.logMD5
bc181569bfb12333eadc1b311b8ef6a8
SHA1484f86149c2097035e15c64ccdde228dc6327ccd
SHA2568181aed2cbe92d7abcce9baa6008d0265a6b0279e4cfa99c00da1a3558173587
SHA512aa3f436cc27bc720dc7aac09023c97f8bb26dd0b9975d13fd54e58907839a9420d60feaaf067490354bab72be54a9cf0c4faa92bf34c05f6ca537e1b66f4a45f
-
memory/1924-9-0x0000000005E50000-0x0000000005E51000-memory.dmpFilesize
4KB
-
memory/1924-3-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/1924-6-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/1924-7-0x0000000005D20000-0x0000000005D5F000-memory.dmpFilesize
252KB
-
memory/1924-8-0x00000000066D0000-0x00000000066D1000-memory.dmpFilesize
4KB
-
memory/1924-2-0x0000000073900000-0x0000000073FEE000-memory.dmpFilesize
6.9MB
-
memory/1924-10-0x0000000005E20000-0x0000000005E21000-memory.dmpFilesize
4KB
-
memory/1924-5-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/3380-11-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3380-12-0x000000000043764E-mapping.dmp
-
memory/3380-14-0x0000000073900000-0x0000000073FEE000-memory.dmpFilesize
6.9MB
-
memory/3380-19-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/3380-20-0x00000000059F0000-0x00000000059F1000-memory.dmpFilesize
4KB
-
memory/3380-21-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB