Analysis
-
max time kernel
41s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 22:07
Static task
static1
Behavioral task
behavioral1
Sample
Ref 4359-0201-106.034.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Ref 4359-0201-106.034.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
Ref 4359-0201-106.034.exe
-
Size
749KB
-
MD5
b494cae2a5d2841dfc30166f2420b591
-
SHA1
02d3c49ab6714d37974031ac5236b285a251668c
-
SHA256
3a121fe0868a35e1b49b0d37241d04bcef95d9b34bcd3b33736857c9b59c846d
-
SHA512
ba5d8bf08d7c8b549c728893261468c789ca0965c4fb301e64ac0f21e23687c0d6ebd13c25d2745aad6078636be09bfb4c741992a610b4156617dd676551e16b
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.ombakparadise.com - Port:
587 - Username:
ce@ombakparadise.com - Password:
ce$%^mirah
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2176-115-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2176-116-0x0000000000437A2E-mapping.dmp family_agenttesla behavioral2/memory/2176-118-0x0000000001220000-0x00000000012CE000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ref 4359-0201-106.034.exedescription pid process target process PID 664 set thread context of 2176 664 Ref 4359-0201-106.034.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Ref 4359-0201-106.034.exedw20.exepid process 664 Ref 4359-0201-106.034.exe 664 Ref 4359-0201-106.034.exe 768 dw20.exe 768 dw20.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Ref 4359-0201-106.034.exedw20.exedescription pid process Token: SeDebugPrivilege 664 Ref 4359-0201-106.034.exe Token: SeRestorePrivilege 768 dw20.exe Token: SeBackupPrivilege 768 dw20.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Ref 4359-0201-106.034.exeRegSvcs.exedescription pid process target process PID 664 wrote to memory of 2316 664 Ref 4359-0201-106.034.exe RegSvcs.exe PID 664 wrote to memory of 2316 664 Ref 4359-0201-106.034.exe RegSvcs.exe PID 664 wrote to memory of 2316 664 Ref 4359-0201-106.034.exe RegSvcs.exe PID 664 wrote to memory of 2176 664 Ref 4359-0201-106.034.exe RegSvcs.exe PID 664 wrote to memory of 2176 664 Ref 4359-0201-106.034.exe RegSvcs.exe PID 664 wrote to memory of 2176 664 Ref 4359-0201-106.034.exe RegSvcs.exe PID 664 wrote to memory of 2176 664 Ref 4359-0201-106.034.exe RegSvcs.exe PID 664 wrote to memory of 2176 664 Ref 4359-0201-106.034.exe RegSvcs.exe PID 664 wrote to memory of 2176 664 Ref 4359-0201-106.034.exe RegSvcs.exe PID 664 wrote to memory of 2176 664 Ref 4359-0201-106.034.exe RegSvcs.exe PID 664 wrote to memory of 2176 664 Ref 4359-0201-106.034.exe RegSvcs.exe PID 2176 wrote to memory of 768 2176 RegSvcs.exe dw20.exe PID 2176 wrote to memory of 768 2176 RegSvcs.exe dw20.exe PID 2176 wrote to memory of 768 2176 RegSvcs.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ref 4359-0201-106.034.exe"C:\Users\Admin\AppData\Local\Temp\Ref 4359-0201-106.034.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7003⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/664-114-0x0000000002EB0000-0x0000000002EB1000-memory.dmpFilesize
4KB
-
memory/768-117-0x0000000000000000-mapping.dmp
-
memory/2176-115-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2176-116-0x0000000000437A2E-mapping.dmp
-
memory/2176-118-0x0000000001220000-0x00000000012CE000-memory.dmpFilesize
696KB