Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-05-2021 12:45
Static task
static1
Behavioral task
behavioral1
Sample
yl9KgwwOXDZoGMw.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
yl9KgwwOXDZoGMw.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
yl9KgwwOXDZoGMw.exe
-
Size
906KB
-
MD5
798cb8a4ceae24a7a2fd213deb85a107
-
SHA1
3d7ec487833c318b475818cf771c2af165b6d82b
-
SHA256
f076d51c4fa09d0e318d43f41560fa50b8c4a4f327effa8aeafedf947800e4d8
-
SHA512
22dab34cf8ff46cc419705e4ab50929eeca9b20361f8716fea5d578c0e0a1e27e6a0d7c27a15a62d9923ca534b2e72c5aab49d66fd3f4e46d57cb3d6e5ca4532
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
ken@kengrouco.xyz - Password:
Everest10
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1284-63-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1284-64-0x000000000043767E-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
yl9KgwwOXDZoGMw.exedescription pid process target process PID 456 set thread context of 1284 456 yl9KgwwOXDZoGMw.exe yl9KgwwOXDZoGMw.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
yl9KgwwOXDZoGMw.exepid process 1284 yl9KgwwOXDZoGMw.exe 1284 yl9KgwwOXDZoGMw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
yl9KgwwOXDZoGMw.exedescription pid process Token: SeDebugPrivilege 1284 yl9KgwwOXDZoGMw.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
yl9KgwwOXDZoGMw.exeyl9KgwwOXDZoGMw.exedescription pid process target process PID 456 wrote to memory of 1284 456 yl9KgwwOXDZoGMw.exe yl9KgwwOXDZoGMw.exe PID 456 wrote to memory of 1284 456 yl9KgwwOXDZoGMw.exe yl9KgwwOXDZoGMw.exe PID 456 wrote to memory of 1284 456 yl9KgwwOXDZoGMw.exe yl9KgwwOXDZoGMw.exe PID 456 wrote to memory of 1284 456 yl9KgwwOXDZoGMw.exe yl9KgwwOXDZoGMw.exe PID 456 wrote to memory of 1284 456 yl9KgwwOXDZoGMw.exe yl9KgwwOXDZoGMw.exe PID 456 wrote to memory of 1284 456 yl9KgwwOXDZoGMw.exe yl9KgwwOXDZoGMw.exe PID 456 wrote to memory of 1284 456 yl9KgwwOXDZoGMw.exe yl9KgwwOXDZoGMw.exe PID 456 wrote to memory of 1284 456 yl9KgwwOXDZoGMw.exe yl9KgwwOXDZoGMw.exe PID 456 wrote to memory of 1284 456 yl9KgwwOXDZoGMw.exe yl9KgwwOXDZoGMw.exe PID 1284 wrote to memory of 568 1284 yl9KgwwOXDZoGMw.exe dw20.exe PID 1284 wrote to memory of 568 1284 yl9KgwwOXDZoGMw.exe dw20.exe PID 1284 wrote to memory of 568 1284 yl9KgwwOXDZoGMw.exe dw20.exe PID 1284 wrote to memory of 568 1284 yl9KgwwOXDZoGMw.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\yl9KgwwOXDZoGMw.exe"C:\Users\Admin\AppData\Local\Temp\yl9KgwwOXDZoGMw.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yl9KgwwOXDZoGMw.exe"C:\Users\Admin\AppData\Local\Temp\yl9KgwwOXDZoGMw.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5203⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/456-60-0x0000000075591000-0x0000000075593000-memory.dmpFilesize
8KB
-
memory/456-61-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/456-62-0x00000000009F1000-0x00000000009F2000-memory.dmpFilesize
4KB
-
memory/568-67-0x0000000000000000-mapping.dmp
-
memory/568-69-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB
-
memory/1284-63-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1284-64-0x000000000043767E-mapping.dmp
-
memory/1284-66-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB