6ufxz8ps3Mbqhxn.exe

General
Target

6ufxz8ps3Mbqhxn.exe

Filesize

644KB

Completed

27-07-2021 18:21

Score
10 /10
MD5

c253f7490b6837696d2a3108063b1759

SHA1

5e638bdae86a9fa81e53085f345c117a21510c24

SHA256

3989e4bbaeab65af22040deae65366ea0b0091b8baf47093fe8147a8eb8187da

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: smtp.vivaldi.net

Port: 587

Username: vor007@vivaldi.net

Password: Temporal2018*

Signatures 9

Filter: none

Collection
Credential Access
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1248-125-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral2/memory/1248-126-0x000000000043751E-mapping.dmpfamily_agenttesla
    behavioral2/memory/1248-132-0x0000000004DB0000-0x00000000052AE000-memory.dmpfamily_agenttesla
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of SetThreadContext
    6ufxz8ps3Mbqhxn.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 500 set thread context of 12485006ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
  • Suspicious behavior: EnumeratesProcesses
    6ufxz8ps3Mbqhxn.exe

    Reported IOCs

    pidprocess
    12486ufxz8ps3Mbqhxn.exe
    12486ufxz8ps3Mbqhxn.exe
  • Suspicious use of AdjustPrivilegeToken
    6ufxz8ps3Mbqhxn.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege12486ufxz8ps3Mbqhxn.exe
  • Suspicious use of WriteProcessMemory
    6ufxz8ps3Mbqhxn.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 500 wrote to memory of 12485006ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 500 wrote to memory of 12485006ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 500 wrote to memory of 12485006ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 500 wrote to memory of 12485006ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 500 wrote to memory of 12485006ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 500 wrote to memory of 12485006ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 500 wrote to memory of 12485006ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
    PID 500 wrote to memory of 12485006ufxz8ps3Mbqhxn.exe6ufxz8ps3Mbqhxn.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\6ufxz8ps3Mbqhxn.exe
    "C:\Users\Admin\AppData\Local\Temp\6ufxz8ps3Mbqhxn.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:500
    • C:\Users\Admin\AppData\Local\Temp\6ufxz8ps3Mbqhxn.exe
      "C:\Users\Admin\AppData\Local\Temp\6ufxz8ps3Mbqhxn.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1248
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6ufxz8ps3Mbqhxn.exe.log

                        MD5

                        90acfd72f14a512712b1a7380c0faf60

                        SHA1

                        40ba4accb8faa75887e84fb8e38d598dc8cf0f12

                        SHA256

                        20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

                        SHA512

                        29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

                      • memory/500-116-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

                      • memory/500-117-0x0000000005380000-0x0000000005381000-memory.dmp

                      • memory/500-118-0x0000000004F20000-0x0000000004F21000-memory.dmp

                      • memory/500-119-0x0000000004D90000-0x0000000004D91000-memory.dmp

                      • memory/500-120-0x0000000005080000-0x0000000005081000-memory.dmp

                      • memory/500-121-0x0000000004D00000-0x0000000004D9C000-memory.dmp

                      • memory/500-122-0x0000000005320000-0x000000000533B000-memory.dmp

                      • memory/500-123-0x00000000073A0000-0x0000000007412000-memory.dmp

                      • memory/500-124-0x0000000007420000-0x0000000007459000-memory.dmp

                      • memory/500-114-0x0000000000390000-0x0000000000391000-memory.dmp

                      • memory/1248-126-0x000000000043751E-mapping.dmp

                      • memory/1248-125-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/1248-132-0x0000000004DB0000-0x00000000052AE000-memory.dmp

                      • memory/1248-133-0x00000000051D0000-0x00000000051D1000-memory.dmp

                      • memory/1248-134-0x0000000005AA0000-0x0000000005AA1000-memory.dmp