Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-07-2021 12:00
Static task
static1
Behavioral task
behavioral1
Sample
184285013-044310-sanlccjavap0003-7069_pdf (2).exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
184285013-044310-sanlccjavap0003-7069_pdf (2).exe
Resource
win10v20210410
General
-
Target
184285013-044310-sanlccjavap0003-7069_pdf (2).exe
-
Size
676KB
-
MD5
075ed58f01d9d87c0838fa73534187c5
-
SHA1
84baf0c318d1e8a22b02b9f3ce313fae44350747
-
SHA256
fc5ed0a66d1dc9b980a9c09c563979d48c840963569ccb81eb5972beed07c2b8
-
SHA512
1ba2c1285d1ab807453cbb4915d03d675f14994420f0cc9d1fed98356ad4fe93df009005d6c6156b9a5abb1f2d3eaa51cc41980d3c98208c2e5454f9dc514663
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.tccinfaes.com - Port:
587 - Username:
[email protected] - Password:
transportes
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/316-66-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/316-67-0x000000000043761E-mapping.dmp family_agenttesla behavioral1/memory/316-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/1672-63-0x0000000000310000-0x000000000031B000-memory.dmp CustAttr -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
184285013-044310-sanlccjavap0003-7069_pdf (2).exedescription pid process target process PID 1672 set thread context of 316 1672 184285013-044310-sanlccjavap0003-7069_pdf (2).exe 184285013-044310-sanlccjavap0003-7069_pdf (2).exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
184285013-044310-sanlccjavap0003-7069_pdf (2).exepid process 316 184285013-044310-sanlccjavap0003-7069_pdf (2).exe 316 184285013-044310-sanlccjavap0003-7069_pdf (2).exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
184285013-044310-sanlccjavap0003-7069_pdf (2).exedescription pid process Token: SeDebugPrivilege 316 184285013-044310-sanlccjavap0003-7069_pdf (2).exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
184285013-044310-sanlccjavap0003-7069_pdf (2).exedescription pid process target process PID 1672 wrote to memory of 316 1672 184285013-044310-sanlccjavap0003-7069_pdf (2).exe 184285013-044310-sanlccjavap0003-7069_pdf (2).exe PID 1672 wrote to memory of 316 1672 184285013-044310-sanlccjavap0003-7069_pdf (2).exe 184285013-044310-sanlccjavap0003-7069_pdf (2).exe PID 1672 wrote to memory of 316 1672 184285013-044310-sanlccjavap0003-7069_pdf (2).exe 184285013-044310-sanlccjavap0003-7069_pdf (2).exe PID 1672 wrote to memory of 316 1672 184285013-044310-sanlccjavap0003-7069_pdf (2).exe 184285013-044310-sanlccjavap0003-7069_pdf (2).exe PID 1672 wrote to memory of 316 1672 184285013-044310-sanlccjavap0003-7069_pdf (2).exe 184285013-044310-sanlccjavap0003-7069_pdf (2).exe PID 1672 wrote to memory of 316 1672 184285013-044310-sanlccjavap0003-7069_pdf (2).exe 184285013-044310-sanlccjavap0003-7069_pdf (2).exe PID 1672 wrote to memory of 316 1672 184285013-044310-sanlccjavap0003-7069_pdf (2).exe 184285013-044310-sanlccjavap0003-7069_pdf (2).exe PID 1672 wrote to memory of 316 1672 184285013-044310-sanlccjavap0003-7069_pdf (2).exe 184285013-044310-sanlccjavap0003-7069_pdf (2).exe PID 1672 wrote to memory of 316 1672 184285013-044310-sanlccjavap0003-7069_pdf (2).exe 184285013-044310-sanlccjavap0003-7069_pdf (2).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\184285013-044310-sanlccjavap0003-7069_pdf (2).exe"C:\Users\Admin\AppData\Local\Temp\184285013-044310-sanlccjavap0003-7069_pdf (2).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\184285013-044310-sanlccjavap0003-7069_pdf (2).exe"C:\Users\Admin\AppData\Local\Temp\184285013-044310-sanlccjavap0003-7069_pdf (2).exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/316-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/316-67-0x000000000043761E-mapping.dmp
-
memory/316-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/316-70-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/316-71-0x0000000004BC1000-0x0000000004BC2000-memory.dmpFilesize
4KB
-
memory/1672-60-0x0000000001160000-0x0000000001161000-memory.dmpFilesize
4KB
-
memory/1672-62-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/1672-63-0x0000000000310000-0x000000000031B000-memory.dmpFilesize
44KB
-
memory/1672-64-0x00000000053D0000-0x0000000005447000-memory.dmpFilesize
476KB
-
memory/1672-65-0x0000000000C80000-0x0000000000CB9000-memory.dmpFilesize
228KB