Analysis
-
max time kernel
36s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 23:03
Static task
static1
Behavioral task
behavioral1
Sample
Ref 4359-0201-106.034.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Ref 4359-0201-106.034.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
Ref 4359-0201-106.034.exe
-
Size
749KB
-
MD5
b494cae2a5d2841dfc30166f2420b591
-
SHA1
02d3c49ab6714d37974031ac5236b285a251668c
-
SHA256
3a121fe0868a35e1b49b0d37241d04bcef95d9b34bcd3b33736857c9b59c846d
-
SHA512
ba5d8bf08d7c8b549c728893261468c789ca0965c4fb301e64ac0f21e23687c0d6ebd13c25d2745aad6078636be09bfb4c741992a610b4156617dd676551e16b
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.ombakparadise.com - Port:
587 - Username:
ce@ombakparadise.com - Password:
ce$%^mirah
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3832-115-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3832-116-0x0000000000437A2E-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ref 4359-0201-106.034.exedescription pid process target process PID 4036 set thread context of 3832 4036 Ref 4359-0201-106.034.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dw20.exepid process 3208 dw20.exe 3208 dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 3208 dw20.exe Token: SeBackupPrivilege 3208 dw20.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Ref 4359-0201-106.034.exeRegSvcs.exedescription pid process target process PID 4036 wrote to memory of 3832 4036 Ref 4359-0201-106.034.exe RegSvcs.exe PID 4036 wrote to memory of 3832 4036 Ref 4359-0201-106.034.exe RegSvcs.exe PID 4036 wrote to memory of 3832 4036 Ref 4359-0201-106.034.exe RegSvcs.exe PID 4036 wrote to memory of 3832 4036 Ref 4359-0201-106.034.exe RegSvcs.exe PID 4036 wrote to memory of 3832 4036 Ref 4359-0201-106.034.exe RegSvcs.exe PID 4036 wrote to memory of 3832 4036 Ref 4359-0201-106.034.exe RegSvcs.exe PID 4036 wrote to memory of 3832 4036 Ref 4359-0201-106.034.exe RegSvcs.exe PID 4036 wrote to memory of 3832 4036 Ref 4359-0201-106.034.exe RegSvcs.exe PID 3832 wrote to memory of 3208 3832 RegSvcs.exe dw20.exe PID 3832 wrote to memory of 3208 3832 RegSvcs.exe dw20.exe PID 3832 wrote to memory of 3208 3832 RegSvcs.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ref 4359-0201-106.034.exe"C:\Users\Admin\AppData\Local\Temp\Ref 4359-0201-106.034.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6963⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3208-117-0x0000000000000000-mapping.dmp
-
memory/3832-115-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3832-116-0x0000000000437A2E-mapping.dmp
-
memory/3832-118-0x0000000002E50000-0x0000000002E51000-memory.dmpFilesize
4KB
-
memory/4036-114-0x0000000003140000-0x0000000003141000-memory.dmpFilesize
4KB