Analysis
-
max time kernel
143s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-04-2021 12:11
Static task
static1
Behavioral task
behavioral1
Sample
be39908fb0cae5cdbbb7982a6ace4f23.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
be39908fb0cae5cdbbb7982a6ace4f23.exe
Resource
win10v20210410
General
-
Target
be39908fb0cae5cdbbb7982a6ace4f23.exe
-
Size
1.0MB
-
MD5
be39908fb0cae5cdbbb7982a6ace4f23
-
SHA1
f19fd7e8c80393e59ab19954d7b67b8323c0496e
-
SHA256
282b5d50f956c8ac1dea9080f1ba21129ce937a6d234fad62e17136509ac5166
-
SHA512
8a1aa9de76754a21736ab83fb3b98d9cffb49dbb2e60f21092c64d09debcb08ff912352f1df641e36943fd257e7c88fcc11f71479baf825c747b5bca25268c9b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.scrablex.com - Port:
587 - Username:
[email protected] - Password:
Chisom123.
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3240-128-0x00000000004375DE-mapping.dmp family_agenttesla behavioral2/memory/3240-127-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3240-133-0x0000000005310000-0x000000000580E000-memory.dmp family_agenttesla -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
be39908fb0cae5cdbbb7982a6ace4f23.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\aKZoqyj = "C:\\Users\\Admin\\AppData\\Roaming\\aKZoqyj\\aKZoqyj.exe" be39908fb0cae5cdbbb7982a6ace4f23.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
be39908fb0cae5cdbbb7982a6ace4f23.exedescription pid process target process PID 2188 set thread context of 3240 2188 be39908fb0cae5cdbbb7982a6ace4f23.exe be39908fb0cae5cdbbb7982a6ace4f23.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
be39908fb0cae5cdbbb7982a6ace4f23.exebe39908fb0cae5cdbbb7982a6ace4f23.exepid process 2188 be39908fb0cae5cdbbb7982a6ace4f23.exe 2188 be39908fb0cae5cdbbb7982a6ace4f23.exe 2188 be39908fb0cae5cdbbb7982a6ace4f23.exe 3240 be39908fb0cae5cdbbb7982a6ace4f23.exe 3240 be39908fb0cae5cdbbb7982a6ace4f23.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
be39908fb0cae5cdbbb7982a6ace4f23.exebe39908fb0cae5cdbbb7982a6ace4f23.exedescription pid process Token: SeDebugPrivilege 2188 be39908fb0cae5cdbbb7982a6ace4f23.exe Token: SeDebugPrivilege 3240 be39908fb0cae5cdbbb7982a6ace4f23.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
be39908fb0cae5cdbbb7982a6ace4f23.exedescription pid process target process PID 2188 wrote to memory of 3240 2188 be39908fb0cae5cdbbb7982a6ace4f23.exe be39908fb0cae5cdbbb7982a6ace4f23.exe PID 2188 wrote to memory of 3240 2188 be39908fb0cae5cdbbb7982a6ace4f23.exe be39908fb0cae5cdbbb7982a6ace4f23.exe PID 2188 wrote to memory of 3240 2188 be39908fb0cae5cdbbb7982a6ace4f23.exe be39908fb0cae5cdbbb7982a6ace4f23.exe PID 2188 wrote to memory of 3240 2188 be39908fb0cae5cdbbb7982a6ace4f23.exe be39908fb0cae5cdbbb7982a6ace4f23.exe PID 2188 wrote to memory of 3240 2188 be39908fb0cae5cdbbb7982a6ace4f23.exe be39908fb0cae5cdbbb7982a6ace4f23.exe PID 2188 wrote to memory of 3240 2188 be39908fb0cae5cdbbb7982a6ace4f23.exe be39908fb0cae5cdbbb7982a6ace4f23.exe PID 2188 wrote to memory of 3240 2188 be39908fb0cae5cdbbb7982a6ace4f23.exe be39908fb0cae5cdbbb7982a6ace4f23.exe PID 2188 wrote to memory of 3240 2188 be39908fb0cae5cdbbb7982a6ace4f23.exe be39908fb0cae5cdbbb7982a6ace4f23.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be39908fb0cae5cdbbb7982a6ace4f23.exe"C:\Users\Admin\AppData\Local\Temp\be39908fb0cae5cdbbb7982a6ace4f23.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\be39908fb0cae5cdbbb7982a6ace4f23.exe"C:\Users\Admin\AppData\Local\Temp\be39908fb0cae5cdbbb7982a6ace4f23.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\be39908fb0cae5cdbbb7982a6ace4f23.exe.log
MD565f1f0c7993639f9f9e1d524224a2c93
SHA15b51a6a56f3041dbc2d3f510252bbe68ffbbc59c
SHA256e582e80a644a998d1b2958bdcb0cd1e899076befa7c5e868d033b3fe75a2ca93
SHA5123e8953968bbc31f3105a0df28b95edfb4cee8af78ec527d47707b82e3d5fc2aa725fca574de3c963da53614e60d282408b21d075eed007be25679e9458bf1c23