Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04-05-2021 15:22
Static task
static1
Behavioral task
behavioral1
Sample
pd9EeXdsQtNb3dQ.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
pd9EeXdsQtNb3dQ.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
pd9EeXdsQtNb3dQ.exe
-
Size
2.2MB
-
MD5
3dad3d4918e28ded77c3e2e93a42665f
-
SHA1
8b16dba4992b75a303f63a09d8a41ac99f28ce5c
-
SHA256
1b61b157db50652678e1e288cfce86f6c74e40f50a468f6d04d0010c84235210
-
SHA512
57173561296c538c174c3299ea6b64156c48977d8f958f86f14578d4a630ea80e7b6b890e6d1a21f94a1d556173db442b953b685de910f25d886cdeda88b3132
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.iykmoreentrprise.org - Port:
587 - Username:
office5@iykmoreentrprise.org - Password:
rwkWCM328
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/368-65-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/368-66-0x00000000004375FE-mapping.dmp family_agenttesla behavioral1/memory/368-67-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pd9EeXdsQtNb3dQ.exedescription pid process target process PID 1104 set thread context of 368 1104 pd9EeXdsQtNb3dQ.exe pd9EeXdsQtNb3dQ.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pd9EeXdsQtNb3dQ.exepid process 368 pd9EeXdsQtNb3dQ.exe 368 pd9EeXdsQtNb3dQ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pd9EeXdsQtNb3dQ.exedescription pid process Token: SeDebugPrivilege 368 pd9EeXdsQtNb3dQ.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
pd9EeXdsQtNb3dQ.exedescription pid process target process PID 1104 wrote to memory of 368 1104 pd9EeXdsQtNb3dQ.exe pd9EeXdsQtNb3dQ.exe PID 1104 wrote to memory of 368 1104 pd9EeXdsQtNb3dQ.exe pd9EeXdsQtNb3dQ.exe PID 1104 wrote to memory of 368 1104 pd9EeXdsQtNb3dQ.exe pd9EeXdsQtNb3dQ.exe PID 1104 wrote to memory of 368 1104 pd9EeXdsQtNb3dQ.exe pd9EeXdsQtNb3dQ.exe PID 1104 wrote to memory of 368 1104 pd9EeXdsQtNb3dQ.exe pd9EeXdsQtNb3dQ.exe PID 1104 wrote to memory of 368 1104 pd9EeXdsQtNb3dQ.exe pd9EeXdsQtNb3dQ.exe PID 1104 wrote to memory of 368 1104 pd9EeXdsQtNb3dQ.exe pd9EeXdsQtNb3dQ.exe PID 1104 wrote to memory of 368 1104 pd9EeXdsQtNb3dQ.exe pd9EeXdsQtNb3dQ.exe PID 1104 wrote to memory of 368 1104 pd9EeXdsQtNb3dQ.exe pd9EeXdsQtNb3dQ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pd9EeXdsQtNb3dQ.exe"C:\Users\Admin\AppData\Local\Temp\pd9EeXdsQtNb3dQ.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pd9EeXdsQtNb3dQ.exe"C:\Users\Admin\AppData\Local\Temp\pd9EeXdsQtNb3dQ.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/368-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/368-66-0x00000000004375FE-mapping.dmp
-
memory/368-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/368-69-0x0000000004D00000-0x0000000004D01000-memory.dmpFilesize
4KB
-
memory/1104-59-0x0000000001240000-0x0000000001241000-memory.dmpFilesize
4KB
-
memory/1104-61-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/1104-62-0x0000000000640000-0x000000000064E000-memory.dmpFilesize
56KB
-
memory/1104-63-0x00000000051C0000-0x000000000523C000-memory.dmpFilesize
496KB
-
memory/1104-64-0x0000000000C80000-0x0000000000CBE000-memory.dmpFilesize
248KB