Analysis

  • max time kernel
    145s
  • max time network
    38s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    27-07-2021 21:43

General

  • Target

    SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe

  • Size

    877KB

  • MD5

    62b3afbdddfb88d96f76df2afd3bd8f2

  • SHA1

    02d47da3c2f80960e94abbd69a316c0ef9cbc298

  • SHA256

    232d3e2c32dfde5713153e9ba4a2c08b6e51766f5eef4575a821410edef4a495

  • SHA512

    4b1838c2bf67f7d567d2276b06aa5b4797ef017f0c1208307ebc0a13bd344ff6d2a81e96c7daf89c8f9c5c34a7141f7d936196792dc7aa79a86b370c9b6eba44

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    uscentral50.myserverhosts.com
  • Port:
    587
  • Username:
    sales@radheatwaters.com
  • Password:
    waters@789

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 3 IoCs
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Drops file in Drivers directory 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Drops file in Drivers directory
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/916-65-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

  • memory/916-66-0x000000000043763E-mapping.dmp
  • memory/916-67-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

  • memory/916-69-0x00000000049D0000-0x00000000049D1000-memory.dmp
    Filesize

    4KB

  • memory/916-70-0x00000000049D1000-0x00000000049D2000-memory.dmp
    Filesize

    4KB

  • memory/980-59-0x00000000013B0000-0x00000000013B1000-memory.dmp
    Filesize

    4KB

  • memory/980-61-0x0000000004E90000-0x0000000004E91000-memory.dmp
    Filesize

    4KB

  • memory/980-62-0x00000000001C0000-0x00000000001CB000-memory.dmp
    Filesize

    44KB

  • memory/980-63-0x0000000004DF0000-0x0000000004E72000-memory.dmp
    Filesize

    520KB

  • memory/980-64-0x0000000000500000-0x000000000053D000-memory.dmp
    Filesize

    244KB