SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223

General
Target

SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe

Filesize

877KB

Completed

27-07-2021 21:46

Score
10 /10
MD5

62b3afbdddfb88d96f76df2afd3bd8f2

SHA1

02d47da3c2f80960e94abbd69a316c0ef9cbc298

SHA256

232d3e2c32dfde5713153e9ba4a2c08b6e51766f5eef4575a821410edef4a495

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: uscentral50.myserverhosts.com

Port: 587

Username: sales@radheatwaters.com

Password: waters@789

Signatures 9

Filter: none

Defense Evasion
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/916-65-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/916-66-0x000000000043763E-mapping.dmpfamily_agenttesla
    behavioral1/memory/916-67-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/980-62-0x00000000001C0000-0x00000000001CB000-memory.dmpCustAttr
  • Drops file in Drivers directory
    RegSvcs.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\drivers\etc\hostsRegSvcs.exe
  • Adds Run key to start application
    RegSvcs.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\NXLun = "C:\\Users\\Admin\\AppData\\Roaming\\NXLun\\NXLun.exe"RegSvcs.exe
  • Suspicious use of SetThreadContext
    SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 980 set thread context of 916980SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
  • Suspicious behavior: EnumeratesProcesses
    RegSvcs.exe

    Reported IOCs

    pidprocess
    916RegSvcs.exe
    916RegSvcs.exe
  • Suspicious use of AdjustPrivilegeToken
    RegSvcs.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege916RegSvcs.exe
  • Suspicious use of WriteProcessMemory
    SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 980 wrote to memory of 916980SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 980 wrote to memory of 916980SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 980 wrote to memory of 916980SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 980 wrote to memory of 916980SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 980 wrote to memory of 916980SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 980 wrote to memory of 916980SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 980 wrote to memory of 916980SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 980 wrote to memory of 916980SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 980 wrote to memory of 916980SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 980 wrote to memory of 916980SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 980 wrote to memory of 916980SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 980 wrote to memory of 916980SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:980
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      Drops file in Drivers directory
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:916
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/916-66-0x000000000043763E-mapping.dmp

                      • memory/916-67-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/916-69-0x00000000049D0000-0x00000000049D1000-memory.dmp

                      • memory/916-70-0x00000000049D1000-0x00000000049D2000-memory.dmp

                      • memory/916-65-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/980-64-0x0000000000500000-0x000000000053D000-memory.dmp

                      • memory/980-59-0x00000000013B0000-0x00000000013B1000-memory.dmp

                      • memory/980-61-0x0000000004E90000-0x0000000004E91000-memory.dmp

                      • memory/980-62-0x00000000001C0000-0x00000000001CB000-memory.dmp

                      • memory/980-63-0x0000000004DF0000-0x0000000004E72000-memory.dmp