pd9EeXdsQtNb3dQ.exe

General
Target

pd9EeXdsQtNb3dQ.exe

Filesize

2MB

Completed

04-05-2021 15:24

Score
10 /10
MD5

3dad3d4918e28ded77c3e2e93a42665f

SHA1

8b16dba4992b75a303f63a09d8a41ac99f28ce5c

SHA256

1b61b157db50652678e1e288cfce86f6c74e40f50a468f6d04d0010c84235210

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.iykmoreentrprise.org

Port: 587

Username: office5@iykmoreentrprise.org

Password: rwkWCM328

Signatures 6

Filter: none

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/368-65-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/368-66-0x00000000004375FE-mapping.dmpfamily_agenttesla
    behavioral1/memory/368-67-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
  • Suspicious use of SetThreadContext
    pd9EeXdsQtNb3dQ.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1104 set thread context of 3681104pd9EeXdsQtNb3dQ.exepd9EeXdsQtNb3dQ.exe
  • Suspicious behavior: EnumeratesProcesses
    pd9EeXdsQtNb3dQ.exe

    Reported IOCs

    pidprocess
    368pd9EeXdsQtNb3dQ.exe
    368pd9EeXdsQtNb3dQ.exe
  • Suspicious use of AdjustPrivilegeToken
    pd9EeXdsQtNb3dQ.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege368pd9EeXdsQtNb3dQ.exe
  • Suspicious use of WriteProcessMemory
    pd9EeXdsQtNb3dQ.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1104 wrote to memory of 3681104pd9EeXdsQtNb3dQ.exepd9EeXdsQtNb3dQ.exe
    PID 1104 wrote to memory of 3681104pd9EeXdsQtNb3dQ.exepd9EeXdsQtNb3dQ.exe
    PID 1104 wrote to memory of 3681104pd9EeXdsQtNb3dQ.exepd9EeXdsQtNb3dQ.exe
    PID 1104 wrote to memory of 3681104pd9EeXdsQtNb3dQ.exepd9EeXdsQtNb3dQ.exe
    PID 1104 wrote to memory of 3681104pd9EeXdsQtNb3dQ.exepd9EeXdsQtNb3dQ.exe
    PID 1104 wrote to memory of 3681104pd9EeXdsQtNb3dQ.exepd9EeXdsQtNb3dQ.exe
    PID 1104 wrote to memory of 3681104pd9EeXdsQtNb3dQ.exepd9EeXdsQtNb3dQ.exe
    PID 1104 wrote to memory of 3681104pd9EeXdsQtNb3dQ.exepd9EeXdsQtNb3dQ.exe
    PID 1104 wrote to memory of 3681104pd9EeXdsQtNb3dQ.exepd9EeXdsQtNb3dQ.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\pd9EeXdsQtNb3dQ.exe
    "C:\Users\Admin\AppData\Local\Temp\pd9EeXdsQtNb3dQ.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Users\Admin\AppData\Local\Temp\pd9EeXdsQtNb3dQ.exe
      "C:\Users\Admin\AppData\Local\Temp\pd9EeXdsQtNb3dQ.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:368
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/368-66-0x00000000004375FE-mapping.dmp

                          • memory/368-67-0x0000000000400000-0x000000000043C000-memory.dmp

                          • memory/368-69-0x0000000004D00000-0x0000000004D01000-memory.dmp

                          • memory/368-65-0x0000000000400000-0x000000000043C000-memory.dmp

                          • memory/1104-63-0x00000000051C0000-0x000000000523C000-memory.dmp

                          • memory/1104-64-0x0000000000C80000-0x0000000000CBE000-memory.dmp

                          • memory/1104-59-0x0000000001240000-0x0000000001241000-memory.dmp

                          • memory/1104-61-0x0000000004F80000-0x0000000004F81000-memory.dmp

                          • memory/1104-62-0x0000000000640000-0x000000000064E000-memory.dmp