Overview

overview

10

Static

static

RFQ Gas Pi...01.exe

windows7_x64

10

RFQ Gas Pi...01.exe

windows10_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    11-05-2021 11:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ Gas Pipeline RS003 - 01.exe

  • Size

    731KB

  • MD5

    b5634b763669d07859bc6fc83c22a4cd

  • SHA1

    4555074dc437ff0f5adb3d83df8fdce9593df968

  • SHA256

    4b5b9b554eb832db072581a89807301c294360acac0a605c9d97e0d2d06f621a

  • SHA512

    4d7480817705aee9f921ed6978b8cec3bc99903b349153282d4bee8d4b83698e0ade30e1b8ec9a7257bf35c4a79466bf43753cbe47fd894d17dbc334b8a1c62a

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.buzon-th.com
  • Port:
    587
  • Username:
    lnfo@buzon-th.com
  • Password:
    EawrAmEfow

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ Gas Pipeline RS003 - 01.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ Gas Pipeline RS003 - 01.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3856
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
        PID:3344
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        2⤵
          PID:3056
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3544

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3544-124-0x0000000000400000-0x000000000043C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/3544-135-0x0000000005031000-0x0000000005032000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3544-132-0x0000000005C50000-0x0000000005C51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3544-131-0x00000000054A0000-0x00000000054A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3544-130-0x0000000005030000-0x0000000005031000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3544-125-0x00000000004375FE-mapping.dmp
        Download
      • memory/3856-118-0x0000000007550000-0x0000000007551000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3856-122-0x00000000054E0000-0x0000000005574000-memory.dmp
        Filesize

        592KB

        Download
      • memory/3856-123-0x0000000005B50000-0x0000000005BA3000-memory.dmp
        Filesize

        332KB

        Download
      • memory/3856-121-0x0000000002A90000-0x0000000002A9E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/3856-120-0x0000000009610000-0x0000000009611000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3856-119-0x0000000007510000-0x0000000007A0E000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/3856-114-0x0000000000780000-0x0000000000781000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3856-117-0x00000000075B0000-0x00000000075B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3856-116-0x0000000007A10000-0x0000000007A11000-memory.dmp
        Filesize

        4KB

        Download