SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223

General
Target

SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe

Filesize

877KB

Completed

27-07-2021 21:45

Score
10 /10
MD5

62b3afbdddfb88d96f76df2afd3bd8f2

SHA1

02d47da3c2f80960e94abbd69a316c0ef9cbc298

SHA256

232d3e2c32dfde5713153e9ba4a2c08b6e51766f5eef4575a821410edef4a495

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: uscentral50.myserverhosts.com

Port: 587

Username: sales@radheatwaters.com

Password: waters@789

Signatures 9

Filter: none

Defense Evasion
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1608-126-0x000000000043763E-mapping.dmpfamily_agenttesla
    behavioral2/memory/1608-125-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral2/memory/1608-131-0x0000000004C60000-0x000000000515E000-memory.dmpfamily_agenttesla
  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3156-122-0x0000000004FB0000-0x0000000004FBB000-memory.dmpCustAttr
  • Drops file in Drivers directory
    RegSvcs.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\drivers\etc\hostsRegSvcs.exe
  • Adds Run key to start application
    RegSvcs.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\NXLun = "C:\\Users\\Admin\\AppData\\Roaming\\NXLun\\NXLun.exe"RegSvcs.exe
  • Suspicious use of SetThreadContext
    SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3156 set thread context of 16083156SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
  • Suspicious behavior: EnumeratesProcesses
    RegSvcs.exe

    Reported IOCs

    pidprocess
    1608RegSvcs.exe
    1608RegSvcs.exe
  • Suspicious use of AdjustPrivilegeToken
    SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3156SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe
    Token: SeDebugPrivilege1608RegSvcs.exe
  • Suspicious use of WriteProcessMemory
    SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3156 wrote to memory of 16083156SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 3156 wrote to memory of 16083156SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 3156 wrote to memory of 16083156SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 3156 wrote to memory of 16083156SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 3156 wrote to memory of 16083156SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 3156 wrote to memory of 16083156SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 3156 wrote to memory of 16083156SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
    PID 3156 wrote to memory of 16083156SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exeRegSvcs.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223.exe"
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      Drops file in Drivers directory
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1608
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/1608-133-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

                      • memory/1608-132-0x0000000005120000-0x0000000005121000-memory.dmp

                      • memory/1608-131-0x0000000004C60000-0x000000000515E000-memory.dmp

                      • memory/1608-125-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/1608-126-0x000000000043763E-mapping.dmp

                      • memory/3156-122-0x0000000004FB0000-0x0000000004FBB000-memory.dmp

                      • memory/3156-121-0x0000000004D40000-0x000000000523E000-memory.dmp

                      • memory/3156-120-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

                      • memory/3156-123-0x0000000008470000-0x00000000084F2000-memory.dmp

                      • memory/3156-124-0x0000000008500000-0x000000000853D000-memory.dmp

                      • memory/3156-119-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

                      • memory/3156-118-0x0000000004D40000-0x0000000004D41000-memory.dmp

                      • memory/3156-117-0x0000000005240000-0x0000000005241000-memory.dmp

                      • memory/3156-116-0x0000000004C20000-0x0000000004C21000-memory.dmp

                      • memory/3156-114-0x00000000002D0000-0x00000000002D1000-memory.dmp