NEW ORDER.zip

General
Target

NEW ORDER.exe

Filesize

630KB

Completed

27-07-2021 19:05

Score
10 /10
MD5

1559eb5515eb732de889dcdff24662c9

SHA1

69abf00e7e4ab89a0592380413d3d12cfc714cb9

SHA256

3984eb9bbb5210eaf04a4bcdfcc1512a58df9d264cf2e8a19377f59d4fd8e55b

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: smtp.saisianket-tech.com

Port: 587

Username: akibapen@saisianket-tech.com

Password: oluwagozie123

Signatures 9

Filter: none

Collection
Credential Access
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1736-66-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/1736-67-0x00000000004374BE-mapping.dmpfamily_agenttesla
    behavioral1/memory/1736-68-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of SetThreadContext
    NEW ORDER.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1728 set thread context of 17361728NEW ORDER.exeNEW ORDER.exe
  • Suspicious behavior: EnumeratesProcesses
    NEW ORDER.exe

    Reported IOCs

    pidprocess
    1736NEW ORDER.exe
    1736NEW ORDER.exe
  • Suspicious use of AdjustPrivilegeToken
    NEW ORDER.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1736NEW ORDER.exe
  • Suspicious use of WriteProcessMemory
    NEW ORDER.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1728 wrote to memory of 17361728NEW ORDER.exeNEW ORDER.exe
    PID 1728 wrote to memory of 17361728NEW ORDER.exeNEW ORDER.exe
    PID 1728 wrote to memory of 17361728NEW ORDER.exeNEW ORDER.exe
    PID 1728 wrote to memory of 17361728NEW ORDER.exeNEW ORDER.exe
    PID 1728 wrote to memory of 17361728NEW ORDER.exeNEW ORDER.exe
    PID 1728 wrote to memory of 17361728NEW ORDER.exeNEW ORDER.exe
    PID 1728 wrote to memory of 17361728NEW ORDER.exeNEW ORDER.exe
    PID 1728 wrote to memory of 17361728NEW ORDER.exeNEW ORDER.exe
    PID 1728 wrote to memory of 17361728NEW ORDER.exeNEW ORDER.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe
    "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe
      "{path}"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1736
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/1728-60-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

                      • memory/1728-62-0x0000000000630000-0x0000000000631000-memory.dmp

                      • memory/1728-63-0x00000000005D0000-0x00000000005D2000-memory.dmp

                      • memory/1728-64-0x0000000005DF0000-0x0000000005E70000-memory.dmp

                      • memory/1728-65-0x0000000000D30000-0x0000000000D6C000-memory.dmp

                      • memory/1736-66-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/1736-67-0x00000000004374BE-mapping.dmp

                      • memory/1736-68-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/1736-70-0x0000000004B30000-0x0000000004B31000-memory.dmp

                      • memory/1736-71-0x0000000004B31000-0x0000000004B32000-memory.dmp