Analysis
-
max time kernel
118s -
max time network
139s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14-04-2021 19:52
Static task
static1
Behavioral task
behavioral1
Sample
TWI-SHA 202102.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
TWI-SHA 202102.exe
Resource
win10v20210410
General
-
Target
TWI-SHA 202102.exe
-
Size
156KB
-
MD5
d5b8e2ce449917bf395454082de6cba9
-
SHA1
fe872c03ceef39422218003bc5a34be4faf47e55
-
SHA256
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4
-
SHA512
54dc37f2345a4b70786920c80adf8c1fc72c9ab97edf95b239453c081ab221134fbbc8ae8d8fd3ce635d4b3aec8f42fbc44005930e917e10e1a72cbd5e442e48
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
p.pisapia@simonetta-it.co - Password:
HywxEue7
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1016-69-0x0000000000400000-0x0000000000553000-memory.dmp family_agenttesla -
Guloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1996-62-0x0000000000250000-0x000000000025D000-memory.dmp family_guloader behavioral1/memory/1016-65-0x000000000123CE5E-mapping.dmp family_guloader behavioral1/memory/1016-67-0x0000000000090000-0x0000000000190000-memory.dmp family_guloader -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
TWI-SHA 202102.exeRegAsm.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe TWI-SHA 202102.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
TWI-SHA 202102.exeRegAsm.exepid process 1996 TWI-SHA 202102.exe 1016 RegAsm.exe 1016 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TWI-SHA 202102.exedescription pid process target process PID 1996 set thread context of 1016 1996 TWI-SHA 202102.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 1016 RegAsm.exe 1016 RegAsm.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
TWI-SHA 202102.exepid process 1996 TWI-SHA 202102.exe 1996 TWI-SHA 202102.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1016 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
TWI-SHA 202102.exeRegAsm.exepid process 1996 TWI-SHA 202102.exe 1016 RegAsm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
TWI-SHA 202102.exedescription pid process target process PID 1996 wrote to memory of 600 1996 TWI-SHA 202102.exe RegAsm.exe PID 1996 wrote to memory of 600 1996 TWI-SHA 202102.exe RegAsm.exe PID 1996 wrote to memory of 600 1996 TWI-SHA 202102.exe RegAsm.exe PID 1996 wrote to memory of 600 1996 TWI-SHA 202102.exe RegAsm.exe PID 1996 wrote to memory of 600 1996 TWI-SHA 202102.exe RegAsm.exe PID 1996 wrote to memory of 600 1996 TWI-SHA 202102.exe RegAsm.exe PID 1996 wrote to memory of 600 1996 TWI-SHA 202102.exe RegAsm.exe PID 1996 wrote to memory of 1016 1996 TWI-SHA 202102.exe RegAsm.exe PID 1996 wrote to memory of 1016 1996 TWI-SHA 202102.exe RegAsm.exe PID 1996 wrote to memory of 1016 1996 TWI-SHA 202102.exe RegAsm.exe PID 1996 wrote to memory of 1016 1996 TWI-SHA 202102.exe RegAsm.exe PID 1996 wrote to memory of 1016 1996 TWI-SHA 202102.exe RegAsm.exe PID 1996 wrote to memory of 1016 1996 TWI-SHA 202102.exe RegAsm.exe PID 1996 wrote to memory of 1016 1996 TWI-SHA 202102.exe RegAsm.exe PID 1996 wrote to memory of 1016 1996 TWI-SHA 202102.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TWI-SHA 202102.exe"C:\Users\Admin\AppData\Local\Temp\TWI-SHA 202102.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\TWI-SHA 202102.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\TWI-SHA 202102.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1016-65-0x000000000123CE5E-mapping.dmp
-
memory/1016-67-0x0000000000090000-0x0000000000190000-memory.dmpFilesize
1024KB
-
memory/1016-69-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/1016-70-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/1016-72-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/1016-73-0x0000000000C21000-0x0000000000C22000-memory.dmpFilesize
4KB
-
memory/1996-62-0x0000000000250000-0x000000000025D000-memory.dmpFilesize
52KB
-
memory/1996-64-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB