Analysis
-
max time kernel
96s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 06:10
Static task
static1
Behavioral task
behavioral1
Sample
b063d4a9942d8b820ad62d2359d5263d.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
b063d4a9942d8b820ad62d2359d5263d.exe
Resource
win10-en-20210920
General
-
Target
b063d4a9942d8b820ad62d2359d5263d.exe
-
Size
37KB
-
MD5
b063d4a9942d8b820ad62d2359d5263d
-
SHA1
ed42b11ac340a8b742ce61c2559b0154bcd75740
-
SHA256
25cb04e6ce30f98f9cad9aa1fab3682067d2fee08cc09fe7accf657b2df04a23
-
SHA512
a4890ca4489ca9ccf5271a957dee6e3e2bd9344189cb7096071b0d94fec007f623c83da614722b39229beaf5be1612d180767dc8110ef82262e7f7ae3e10623b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.dpobumber.com - Port:
587 - Username:
dpo23@dpobumber.com - Password:
m~IzyO$8asT+
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/584-121-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/584-122-0x000000000043760E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
b063d4a9942d8b820ad62d2359d5263d.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b063d4a9942d8b820ad62d2359d5263d.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b063d4a9942d8b820ad62d2359d5263d.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b063d4a9942d8b820ad62d2359d5263d.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
b063d4a9942d8b820ad62d2359d5263d.exepid process 2388 b063d4a9942d8b820ad62d2359d5263d.exe 2388 b063d4a9942d8b820ad62d2359d5263d.exe 2388 b063d4a9942d8b820ad62d2359d5263d.exe 2388 b063d4a9942d8b820ad62d2359d5263d.exe 2388 b063d4a9942d8b820ad62d2359d5263d.exe 2388 b063d4a9942d8b820ad62d2359d5263d.exe 2388 b063d4a9942d8b820ad62d2359d5263d.exe 2388 b063d4a9942d8b820ad62d2359d5263d.exe 2388 b063d4a9942d8b820ad62d2359d5263d.exe 2388 b063d4a9942d8b820ad62d2359d5263d.exe 2388 b063d4a9942d8b820ad62d2359d5263d.exe 2388 b063d4a9942d8b820ad62d2359d5263d.exe 2388 b063d4a9942d8b820ad62d2359d5263d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b063d4a9942d8b820ad62d2359d5263d.exedescription pid process target process PID 2388 set thread context of 584 2388 b063d4a9942d8b820ad62d2359d5263d.exe b063d4a9942d8b820ad62d2359d5263d.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
b063d4a9942d8b820ad62d2359d5263d.exeb063d4a9942d8b820ad62d2359d5263d.exepid process 2388 b063d4a9942d8b820ad62d2359d5263d.exe 2388 b063d4a9942d8b820ad62d2359d5263d.exe 2388 b063d4a9942d8b820ad62d2359d5263d.exe 584 b063d4a9942d8b820ad62d2359d5263d.exe 584 b063d4a9942d8b820ad62d2359d5263d.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b063d4a9942d8b820ad62d2359d5263d.exeb063d4a9942d8b820ad62d2359d5263d.exedescription pid process Token: SeDebugPrivilege 2388 b063d4a9942d8b820ad62d2359d5263d.exe Token: SeDebugPrivilege 584 b063d4a9942d8b820ad62d2359d5263d.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b063d4a9942d8b820ad62d2359d5263d.exedescription pid process target process PID 2388 wrote to memory of 584 2388 b063d4a9942d8b820ad62d2359d5263d.exe b063d4a9942d8b820ad62d2359d5263d.exe PID 2388 wrote to memory of 584 2388 b063d4a9942d8b820ad62d2359d5263d.exe b063d4a9942d8b820ad62d2359d5263d.exe PID 2388 wrote to memory of 584 2388 b063d4a9942d8b820ad62d2359d5263d.exe b063d4a9942d8b820ad62d2359d5263d.exe PID 2388 wrote to memory of 584 2388 b063d4a9942d8b820ad62d2359d5263d.exe b063d4a9942d8b820ad62d2359d5263d.exe PID 2388 wrote to memory of 584 2388 b063d4a9942d8b820ad62d2359d5263d.exe b063d4a9942d8b820ad62d2359d5263d.exe PID 2388 wrote to memory of 584 2388 b063d4a9942d8b820ad62d2359d5263d.exe b063d4a9942d8b820ad62d2359d5263d.exe PID 2388 wrote to memory of 584 2388 b063d4a9942d8b820ad62d2359d5263d.exe b063d4a9942d8b820ad62d2359d5263d.exe PID 2388 wrote to memory of 584 2388 b063d4a9942d8b820ad62d2359d5263d.exe b063d4a9942d8b820ad62d2359d5263d.exe -
outlook_office_path 1 IoCs
Processes:
b063d4a9942d8b820ad62d2359d5263d.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b063d4a9942d8b820ad62d2359d5263d.exe -
outlook_win_path 1 IoCs
Processes:
b063d4a9942d8b820ad62d2359d5263d.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 b063d4a9942d8b820ad62d2359d5263d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b063d4a9942d8b820ad62d2359d5263d.exe"C:\Users\Admin\AppData\Local\Temp\b063d4a9942d8b820ad62d2359d5263d.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b063d4a9942d8b820ad62d2359d5263d.exe"C:\Users\Admin\AppData\Local\Temp\b063d4a9942d8b820ad62d2359d5263d.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/584-129-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/584-121-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/584-122-0x000000000043760E-mapping.dmp
-
memory/584-127-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/584-128-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/584-130-0x00000000067D0000-0x00000000067D1000-memory.dmpFilesize
4KB
-
memory/584-131-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/584-132-0x0000000005691000-0x0000000005692000-memory.dmpFilesize
4KB
-
memory/2388-117-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/2388-118-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/2388-119-0x0000000005F30000-0x0000000005F77000-memory.dmpFilesize
284KB
-
memory/2388-120-0x0000000006480000-0x0000000006481000-memory.dmpFilesize
4KB
-
memory/2388-115-0x0000000000B80000-0x0000000000B81000-memory.dmpFilesize
4KB