Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 23:03
Static task
static1
Behavioral task
behavioral1
Sample
Ref 4359-0201-106.034.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Ref 4359-0201-106.034.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
Ref 4359-0201-106.034.exe
-
Size
749KB
-
MD5
b494cae2a5d2841dfc30166f2420b591
-
SHA1
02d3c49ab6714d37974031ac5236b285a251668c
-
SHA256
3a121fe0868a35e1b49b0d37241d04bcef95d9b34bcd3b33736857c9b59c846d
-
SHA512
ba5d8bf08d7c8b549c728893261468c789ca0965c4fb301e64ac0f21e23687c0d6ebd13c25d2745aad6078636be09bfb4c741992a610b4156617dd676551e16b
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.ombakparadise.com - Port:
587 - Username:
ce@ombakparadise.com - Password:
ce$%^mirah
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/848-62-0x0000000000437A2E-mapping.dmp family_agenttesla behavioral1/memory/848-61-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ref 4359-0201-106.034.exedescription pid process target process PID 752 set thread context of 848 752 Ref 4359-0201-106.034.exe RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dw20.exepid process 364 dw20.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Ref 4359-0201-106.034.exeRegSvcs.exedescription pid process target process PID 752 wrote to memory of 848 752 Ref 4359-0201-106.034.exe RegSvcs.exe PID 752 wrote to memory of 848 752 Ref 4359-0201-106.034.exe RegSvcs.exe PID 752 wrote to memory of 848 752 Ref 4359-0201-106.034.exe RegSvcs.exe PID 752 wrote to memory of 848 752 Ref 4359-0201-106.034.exe RegSvcs.exe PID 752 wrote to memory of 848 752 Ref 4359-0201-106.034.exe RegSvcs.exe PID 752 wrote to memory of 848 752 Ref 4359-0201-106.034.exe RegSvcs.exe PID 752 wrote to memory of 848 752 Ref 4359-0201-106.034.exe RegSvcs.exe PID 752 wrote to memory of 848 752 Ref 4359-0201-106.034.exe RegSvcs.exe PID 752 wrote to memory of 848 752 Ref 4359-0201-106.034.exe RegSvcs.exe PID 752 wrote to memory of 848 752 Ref 4359-0201-106.034.exe RegSvcs.exe PID 752 wrote to memory of 848 752 Ref 4359-0201-106.034.exe RegSvcs.exe PID 752 wrote to memory of 848 752 Ref 4359-0201-106.034.exe RegSvcs.exe PID 848 wrote to memory of 364 848 RegSvcs.exe dw20.exe PID 848 wrote to memory of 364 848 RegSvcs.exe dw20.exe PID 848 wrote to memory of 364 848 RegSvcs.exe dw20.exe PID 848 wrote to memory of 364 848 RegSvcs.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ref 4359-0201-106.034.exe"C:\Users\Admin\AppData\Local\Temp\Ref 4359-0201-106.034.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 3923⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/364-66-0x0000000000000000-mapping.dmp
-
memory/364-68-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB
-
memory/752-59-0x0000000076661000-0x0000000076663000-memory.dmpFilesize
8KB
-
memory/752-60-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/752-64-0x00000000008E1000-0x00000000008E2000-memory.dmpFilesize
4KB
-
memory/848-62-0x0000000000437A2E-mapping.dmp
-
memory/848-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/848-65-0x0000000002030000-0x0000000002031000-memory.dmpFilesize
4KB