6ufxz8ps3Mbqhxn.exe

General
Target

6ufxz8ps3Mbqhxn.exe

Filesize

644KB

Completed

27-07-2021 18:21

Score
10 /10
MD5

c253f7490b6837696d2a3108063b1759

SHA1

5e638bdae86a9fa81e53085f345c117a21510c24

SHA256

3989e4bbaeab65af22040deae65366ea0b0091b8baf47093fe8147a8eb8187da

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: smtp.vivaldi.net

Port: 587

Username: vor007@vivaldi.net

Password: Temporal2018*

Signatures 6

Filter: none

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1072-67-0x000000000043751E-mapping.dmpfamily_agenttesla
    behavioral1/memory/1072-66-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/1072-68-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
  • Suspicious use of SetThreadContext
    6ufxz8ps3Mbqhxn.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1652 set thread context of 107216526ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
  • Suspicious behavior: EnumeratesProcesses
    6ufxz8ps3Mbqhxn.exe

    Reported IOCs

    pidprocess
    10726ufxz8ps3Mbqhxn.exe
    10726ufxz8ps3Mbqhxn.exe
  • Suspicious use of AdjustPrivilegeToken
    6ufxz8ps3Mbqhxn.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege10726ufxz8ps3Mbqhxn.exe
  • Suspicious use of WriteProcessMemory
    6ufxz8ps3Mbqhxn.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1652 wrote to memory of 107216526ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 1652 wrote to memory of 107216526ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 1652 wrote to memory of 107216526ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 1652 wrote to memory of 107216526ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 1652 wrote to memory of 107216526ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 1652 wrote to memory of 107216526ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 1652 wrote to memory of 107216526ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 1652 wrote to memory of 107216526ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 1652 wrote to memory of 107216526ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\6ufxz8ps3Mbqhxn.exe
    "C:\Users\Admin\AppData\Local\Temp\6ufxz8ps3Mbqhxn.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Local\Temp\6ufxz8ps3Mbqhxn.exe
      "C:\Users\Admin\AppData\Local\Temp\6ufxz8ps3Mbqhxn.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1072
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1072-66-0x0000000000400000-0x000000000043C000-memory.dmp

                          • memory/1072-68-0x0000000000400000-0x000000000043C000-memory.dmp

                          • memory/1072-70-0x0000000004B70000-0x0000000004B71000-memory.dmp

                          • memory/1072-67-0x000000000043751E-mapping.dmp

                          • memory/1652-64-0x0000000005410000-0x0000000005482000-memory.dmp

                          • memory/1652-65-0x0000000000B80000-0x0000000000BB9000-memory.dmp

                          • memory/1652-60-0x0000000001380000-0x0000000001381000-memory.dmp

                          • memory/1652-62-0x00000000012C0000-0x00000000012C1000-memory.dmp

                          • memory/1652-63-0x0000000000450000-0x000000000046B000-memory.dmp