TT COPY.exe
TT COPY.exe
988KB
27-07-2021 13:09
197e571bfcf3f22816e245fef4f86b4f
60df9b31aeb301c4c480da58f75be14d775cb604
fc22aaa35e5504461dd5ace02d041f7715bc25acf329d2070e02e854b54d4de0
Extracted
Family | agenttesla |
Credentials | Protocol: smtp Host: us2.smtp.mailhostbox.com Port: 587 Username: paola.micheli@copangroup.xyz Password: gibson.1990 |
Filter: none
-
AgentTesla
Description
Agent Tesla is a remote access tool (RAT) written in visual basic.
Tags
-
AgentTesla Payload
Reported IOCs
resource yara_rule behavioral1/memory/1764-65-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1764-66-0x000000000043760E-mapping.dmp family_agenttesla behavioral1/memory/1764-67-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Drops file in Drivers directoryTT COPY.exe
Reported IOCs
description ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts TT COPY.exe -
Reads data files stored by FTP clients
Description
Tries to access configuration files associated with programs like FileZilla.
Tags
TTPs
-
Reads user/profile data of local email clients
Description
Email clients store some user data on disk where infostealers will often target it.
Tags
TTPs
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Adds Run key to start applicationTT COPY.exe
Tags
TTPs
Reported IOCs
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\NXLun = "C:\\Users\\Admin\\AppData\\Roaming\\NXLun\\NXLun.exe" TT COPY.exe -
Suspicious use of SetThreadContextTT COPY.exe
Reported IOCs
description pid process target process PID 452 set thread context of 1764 452 TT COPY.exe TT COPY.exe -
Suspicious behavior: EnumeratesProcessesTT COPY.exe
Reported IOCs
pid process 1764 TT COPY.exe 1764 TT COPY.exe -
Suspicious use of AdjustPrivilegeTokenTT COPY.exe
Reported IOCs
description pid process Token: SeDebugPrivilege 1764 TT COPY.exe -
Suspicious use of WriteProcessMemoryTT COPY.exe
Reported IOCs
description pid process target process PID 452 wrote to memory of 1764 452 TT COPY.exe TT COPY.exe PID 452 wrote to memory of 1764 452 TT COPY.exe TT COPY.exe PID 452 wrote to memory of 1764 452 TT COPY.exe TT COPY.exe PID 452 wrote to memory of 1764 452 TT COPY.exe TT COPY.exe PID 452 wrote to memory of 1764 452 TT COPY.exe TT COPY.exe PID 452 wrote to memory of 1764 452 TT COPY.exe TT COPY.exe PID 452 wrote to memory of 1764 452 TT COPY.exe TT COPY.exe PID 452 wrote to memory of 1764 452 TT COPY.exe TT COPY.exe PID 452 wrote to memory of 1764 452 TT COPY.exe TT COPY.exe
-
C:\Users\Admin\AppData\Local\Temp\TT COPY.exe"C:\Users\Admin\AppData\Local\Temp\TT COPY.exe"Suspicious use of SetThreadContextSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT COPY.exe"C:\Users\Admin\AppData\Local\Temp\TT COPY.exe"Drops file in Drivers directoryAdds Run key to start applicationSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
memory/452-60-0x00000000013E0000-0x00000000013E1000-memory.dmp
-
memory/452-62-0x0000000004A70000-0x0000000004A71000-memory.dmp
-
memory/452-63-0x0000000000CE0000-0x0000000000D48000-memory.dmp
-
memory/452-64-0x0000000000470000-0x000000000047F000-memory.dmp
-
memory/1764-65-0x0000000000400000-0x000000000043C000-memory.dmp
-
memory/1764-66-0x000000000043760E-mapping.dmp
-
memory/1764-67-0x0000000000400000-0x000000000043C000-memory.dmp
-
memory/1764-69-0x0000000004C70000-0x0000000004C71000-memory.dmp
-
memory/1764-70-0x0000000004C71000-0x0000000004C72000-memory.dmp