RFQ#-Airbus AS365-EC155.exe

General
Target

RFQ#-Airbus AS365-EC155.exe

Filesize

850KB

Completed

27-07-2021 18:07

Score
10 /10
MD5

59b10a4ae08a82cceaf918848c40a8f5

SHA1

acf4e109eba29bc8ad37a4db9337ac9a30f74e68

SHA256

bf12c7cd5b7991644a86d6ab104040e6f51581d275a3f9e7f9b60e9931a204e8

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: smtp.sempreviva.pet

Port: 587

Username: dataoffice1@sempreviva.pet

Password: ACYPFpe9

Signatures 12

Filter: none

Collection
Credential Access
Defense Evasion
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2136-128-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral2/memory/2136-129-0x000000000043759E-mapping.dmpfamily_agenttesla
    behavioral2/memory/2136-136-0x0000000004D80000-0x000000000527E000-memory.dmpfamily_agenttesla
  • Executes dropped EXE
    InstallUtil.exe

    Reported IOCs

    pidprocess
    2136InstallUtil.exe
  • Obfuscated with Agile.Net obfuscator

    Description

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3628-122-0x00000000062F0000-0x0000000006311000-memory.dmpagile_net
    behavioral2/memory/3628-125-0x0000000004B10000-0x000000000500E000-memory.dmpagile_net
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    InstallUtil.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qXLPL = "C:\\Users\\Admin\\AppData\\Roaming\\qXLPL\\qXLPL.exe"InstallUtil.exe
  • Suspicious use of SetThreadContext
    RFQ#-Airbus AS365-EC155.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3628 set thread context of 21363628RFQ#-Airbus AS365-EC155.exeInstallUtil.exe
  • Suspicious behavior: EnumeratesProcesses
    RFQ#-Airbus AS365-EC155.exeInstallUtil.exe

    Reported IOCs

    pidprocess
    3628RFQ#-Airbus AS365-EC155.exe
    3628RFQ#-Airbus AS365-EC155.exe
    2136InstallUtil.exe
    2136InstallUtil.exe
  • Suspicious use of AdjustPrivilegeToken
    RFQ#-Airbus AS365-EC155.exeInstallUtil.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3628RFQ#-Airbus AS365-EC155.exe
    Token: SeDebugPrivilege2136InstallUtil.exe
  • Suspicious use of WriteProcessMemory
    RFQ#-Airbus AS365-EC155.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3628 wrote to memory of 21363628RFQ#-Airbus AS365-EC155.exeInstallUtil.exe
    PID 3628 wrote to memory of 21363628RFQ#-Airbus AS365-EC155.exeInstallUtil.exe
    PID 3628 wrote to memory of 21363628RFQ#-Airbus AS365-EC155.exeInstallUtil.exe
    PID 3628 wrote to memory of 21363628RFQ#-Airbus AS365-EC155.exeInstallUtil.exe
    PID 3628 wrote to memory of 21363628RFQ#-Airbus AS365-EC155.exeInstallUtil.exe
    PID 3628 wrote to memory of 21363628RFQ#-Airbus AS365-EC155.exeInstallUtil.exe
    PID 3628 wrote to memory of 21363628RFQ#-Airbus AS365-EC155.exeInstallUtil.exe
    PID 3628 wrote to memory of 21363628RFQ#-Airbus AS365-EC155.exeInstallUtil.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\RFQ#-Airbus AS365-EC155.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ#-Airbus AS365-EC155.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2136
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

                    MD5

                    91c9ae9c9a17a9db5e08b120e668c74c

                    SHA1

                    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

                    SHA256

                    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

                    SHA512

                    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

                  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

                    MD5

                    91c9ae9c9a17a9db5e08b120e668c74c

                    SHA1

                    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

                    SHA256

                    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

                    SHA512

                    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

                  • memory/2136-140-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

                  • memory/2136-137-0x0000000004F20000-0x0000000004F21000-memory.dmp

                  • memory/2136-136-0x0000000004D80000-0x000000000527E000-memory.dmp

                  • memory/2136-129-0x000000000043759E-mapping.dmp

                  • memory/2136-128-0x0000000000400000-0x000000000043C000-memory.dmp

                  • memory/3628-125-0x0000000004B10000-0x000000000500E000-memory.dmp

                  • memory/3628-124-0x0000000006370000-0x0000000006371000-memory.dmp

                  • memory/3628-123-0x00000000063B0000-0x00000000063B1000-memory.dmp

                  • memory/3628-126-0x0000000006270000-0x000000000627B000-memory.dmp

                  • memory/3628-127-0x00000000062D0000-0x00000000062D1000-memory.dmp

                  • memory/3628-122-0x00000000062F0000-0x0000000006311000-memory.dmp

                  • memory/3628-120-0x0000000004B10000-0x000000000500E000-memory.dmp

                  • memory/3628-119-0x00000000055B0000-0x00000000055B1000-memory.dmp

                  • memory/3628-118-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

                  • memory/3628-117-0x0000000004B10000-0x0000000004B11000-memory.dmp

                  • memory/3628-116-0x0000000005010000-0x0000000005011000-memory.dmp

                  • memory/3628-114-0x00000000001E0000-0x00000000001E1000-memory.dmp