PO OPOR20068.exe

General
Target

PO OPOR20068.exe

Filesize

724KB

Completed

27-07-2021 16:06

Score
10 /10
MD5

c62b99c24181e32a199909b7abc7bfe2

SHA1

612ba065ee0abdacbace51cc127cc6f10675836a

SHA256

904ce2cc4a696ddc786ab3a74f7e301e49ff555bac6f2658a336b408db927777

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: webmail.worldlinkcolombo.net

Port: 587

Username: pamuditha@worldlinkcolombo.net

Password: FBF8TNIO60WI6615677789

Signatures 10

Filter: none

Collection
Credential Access
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/564-66-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/564-67-0x000000000043764E-mapping.dmpfamily_agenttesla
    behavioral1/memory/564-68-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of SetThreadContext
    PO OPOR20068.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 736 set thread context of 564736PO OPOR20068.exePO OPOR20068.exe
  • Suspicious behavior: EnumeratesProcesses
    PO OPOR20068.exePO OPOR20068.exe

    Reported IOCs

    pidprocess
    736PO OPOR20068.exe
    736PO OPOR20068.exe
    564PO OPOR20068.exe
    564PO OPOR20068.exe
  • Suspicious use of AdjustPrivilegeToken
    PO OPOR20068.exePO OPOR20068.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege736PO OPOR20068.exe
    Token: SeDebugPrivilege564PO OPOR20068.exe
  • Suspicious use of SetWindowsHookEx
    PO OPOR20068.exe

    Reported IOCs

    pidprocess
    564PO OPOR20068.exe
  • Suspicious use of WriteProcessMemory
    PO OPOR20068.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 736 wrote to memory of 1092736PO OPOR20068.exePO OPOR20068.exe
    PID 736 wrote to memory of 1092736PO OPOR20068.exePO OPOR20068.exe
    PID 736 wrote to memory of 1092736PO OPOR20068.exePO OPOR20068.exe
    PID 736 wrote to memory of 1092736PO OPOR20068.exePO OPOR20068.exe
    PID 736 wrote to memory of 564736PO OPOR20068.exePO OPOR20068.exe
    PID 736 wrote to memory of 564736PO OPOR20068.exePO OPOR20068.exe
    PID 736 wrote to memory of 564736PO OPOR20068.exePO OPOR20068.exe
    PID 736 wrote to memory of 564736PO OPOR20068.exePO OPOR20068.exe
    PID 736 wrote to memory of 564736PO OPOR20068.exePO OPOR20068.exe
    PID 736 wrote to memory of 564736PO OPOR20068.exePO OPOR20068.exe
    PID 736 wrote to memory of 564736PO OPOR20068.exePO OPOR20068.exe
    PID 736 wrote to memory of 564736PO OPOR20068.exePO OPOR20068.exe
    PID 736 wrote to memory of 564736PO OPOR20068.exePO OPOR20068.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\PO OPOR20068.exe
    "C:\Users\Admin\AppData\Local\Temp\PO OPOR20068.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:736
    • C:\Users\Admin\AppData\Local\Temp\PO OPOR20068.exe
      "C:\Users\Admin\AppData\Local\Temp\PO OPOR20068.exe"
      PID:1092
    • C:\Users\Admin\AppData\Local\Temp\PO OPOR20068.exe
      "C:\Users\Admin\AppData\Local\Temp\PO OPOR20068.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:564
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/564-67-0x000000000043764E-mapping.dmp

                      • memory/564-68-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/564-70-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

                      • memory/564-71-0x0000000000AC1000-0x0000000000AC2000-memory.dmp

                      • memory/564-66-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/736-65-0x0000000004AC0000-0x0000000004AFD000-memory.dmp

                      • memory/736-60-0x0000000000E00000-0x0000000000E01000-memory.dmp

                      • memory/736-62-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

                      • memory/736-63-0x0000000000450000-0x000000000046B000-memory.dmp

                      • memory/736-64-0x0000000005BE0000-0x0000000005C5C000-memory.dmp