Analysis
-
max time kernel
110s -
max time network
47s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 13:08
Static task
static1
Behavioral task
behavioral1
Sample
wealthzx.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
wealthzx.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
wealthzx.exe
-
Size
1.6MB
-
MD5
60d92de4c9490fc49ab899cad9bb3efb
-
SHA1
c8b3aaa04c2790d283db59b834712aef8cb17026
-
SHA256
c1aa3996fb100371e8d443417f1c90f959306af345dc4436d5382e49bb205ac7
-
SHA512
c986703bc1fd4130c3a8b4b4d8f16d998b390c0b04e628f7e9d6d8c3f378be9177de71457dd2ee09f4657d3b124e9b2b295a6f40927bc2f8692adacc42ff0b97
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.sodag-agricole.com - Port:
587 - Username:
sodag@sodag-agricole.com - Password:
agricole**sodag+1990
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/560-67-0x00000000004374FE-mapping.dmp family_agenttesla behavioral1/memory/560-66-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/560-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wealthzx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\xepul = "C:\\Users\\Admin\\AppData\\Roaming\\xepul\\xepul.exe" wealthzx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wealthzx.exedescription pid process target process PID 2016 set thread context of 560 2016 wealthzx.exe wealthzx.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
wealthzx.exepid process 560 wealthzx.exe 560 wealthzx.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wealthzx.exewealthzx.exedescription pid process Token: SeDebugPrivilege 2016 wealthzx.exe Token: SeDebugPrivilege 560 wealthzx.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wealthzx.exedescription pid process target process PID 2016 wrote to memory of 560 2016 wealthzx.exe wealthzx.exe PID 2016 wrote to memory of 560 2016 wealthzx.exe wealthzx.exe PID 2016 wrote to memory of 560 2016 wealthzx.exe wealthzx.exe PID 2016 wrote to memory of 560 2016 wealthzx.exe wealthzx.exe PID 2016 wrote to memory of 560 2016 wealthzx.exe wealthzx.exe PID 2016 wrote to memory of 560 2016 wealthzx.exe wealthzx.exe PID 2016 wrote to memory of 560 2016 wealthzx.exe wealthzx.exe PID 2016 wrote to memory of 560 2016 wealthzx.exe wealthzx.exe PID 2016 wrote to memory of 560 2016 wealthzx.exe wealthzx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\wealthzx.exe"C:\Users\Admin\AppData\Local\Temp\wealthzx.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wealthzx.exe"C:\Users\Admin\AppData\Local\Temp\wealthzx.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/560-67-0x00000000004374FE-mapping.dmp
-
memory/560-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/560-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/560-70-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB
-
memory/2016-60-0x0000000001340000-0x0000000001341000-memory.dmpFilesize
4KB
-
memory/2016-62-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/2016-63-0x0000000000390000-0x00000000003BD000-memory.dmpFilesize
180KB
-
memory/2016-64-0x0000000004F10000-0x0000000004F87000-memory.dmpFilesize
476KB
-
memory/2016-65-0x0000000000710000-0x0000000000749000-memory.dmpFilesize
228KB