c277827a2afe5d23f11448d75291342c.exe

General
Target

c277827a2afe5d23f11448d75291342c.exe

Filesize

513KB

Completed

27-07-2021 16:29

Score
10 /10
MD5

c277827a2afe5d23f11448d75291342c

SHA1

84528fcebd7c5dd3b118dad30bbb3ee30566f98e

SHA256

be98f101070d1ef350f5d1768e640f5f23b047f890fde74495e49b9f6fa4d00b

Malware Config

Extracted

Family agenttesla
C2

https://api.telegram.org/bot1805574870:AAHXBVpTNJET3oRosoa2brFL9_G19NkXu8I/sendDocument

Signatures 7

Filter: none

Defense Evasion
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/744-71-0x000000000043773E-mapping.dmpfamily_agenttesla
    behavioral1/memory/744-70-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/744-72-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
  • Adds Run key to start application
    c277827a2afe5d23f11448d75291342c.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\service.exe = "C:\\Users\\Admin\\AppData\\Roaming\\service.exe\\service.exe.exe"c277827a2afe5d23f11448d75291342c.exe
  • Suspicious use of SetThreadContext
    c277827a2afe5d23f11448d75291342c.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1060 set thread context of 7441060c277827a2afe5d23f11448d75291342c.exec277827a2afe5d23f11448d75291342c.exe
  • Suspicious behavior: EnumeratesProcesses
    c277827a2afe5d23f11448d75291342c.exec277827a2afe5d23f11448d75291342c.exe

    Reported IOCs

    pidprocess
    1060c277827a2afe5d23f11448d75291342c.exe
    1060c277827a2afe5d23f11448d75291342c.exe
    744c277827a2afe5d23f11448d75291342c.exe
    744c277827a2afe5d23f11448d75291342c.exe
  • Suspicious use of AdjustPrivilegeToken
    c277827a2afe5d23f11448d75291342c.exec277827a2afe5d23f11448d75291342c.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1060c277827a2afe5d23f11448d75291342c.exe
    Token: SeDebugPrivilege744c277827a2afe5d23f11448d75291342c.exe
  • Suspicious use of WriteProcessMemory
    c277827a2afe5d23f11448d75291342c.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1060 wrote to memory of 7441060c277827a2afe5d23f11448d75291342c.exec277827a2afe5d23f11448d75291342c.exe
    PID 1060 wrote to memory of 7441060c277827a2afe5d23f11448d75291342c.exec277827a2afe5d23f11448d75291342c.exe
    PID 1060 wrote to memory of 7441060c277827a2afe5d23f11448d75291342c.exec277827a2afe5d23f11448d75291342c.exe
    PID 1060 wrote to memory of 7441060c277827a2afe5d23f11448d75291342c.exec277827a2afe5d23f11448d75291342c.exe
    PID 1060 wrote to memory of 7441060c277827a2afe5d23f11448d75291342c.exec277827a2afe5d23f11448d75291342c.exe
    PID 1060 wrote to memory of 7441060c277827a2afe5d23f11448d75291342c.exec277827a2afe5d23f11448d75291342c.exe
    PID 1060 wrote to memory of 7441060c277827a2afe5d23f11448d75291342c.exec277827a2afe5d23f11448d75291342c.exe
    PID 1060 wrote to memory of 7441060c277827a2afe5d23f11448d75291342c.exec277827a2afe5d23f11448d75291342c.exe
    PID 1060 wrote to memory of 7441060c277827a2afe5d23f11448d75291342c.exec277827a2afe5d23f11448d75291342c.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\c277827a2afe5d23f11448d75291342c.exe
    "C:\Users\Admin\AppData\Local\Temp\c277827a2afe5d23f11448d75291342c.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Users\Admin\AppData\Local\Temp\c277827a2afe5d23f11448d75291342c.exe
      C:\Users\Admin\AppData\Local\Temp\c277827a2afe5d23f11448d75291342c.exe
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:744
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/744-71-0x000000000043773E-mapping.dmp

                      • memory/744-70-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/744-72-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/744-74-0x0000000004C70000-0x0000000004C71000-memory.dmp

                      • memory/1060-64-0x0000000002020000-0x0000000002079000-memory.dmp

                      • memory/1060-69-0x0000000007D30000-0x0000000007DA5000-memory.dmp

                      • memory/1060-59-0x0000000000A00000-0x0000000000A01000-memory.dmp

                      • memory/1060-61-0x0000000004B90000-0x0000000004B91000-memory.dmp

                      • memory/1060-62-0x0000000004B91000-0x0000000004B92000-memory.dmp

                      • memory/1060-63-0x0000000004B96000-0x0000000004BA7000-memory.dmp