Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
19-10-2021 15:50
Static task
static1
Behavioral task
behavioral1
Sample
DHL DOCUMENTS.exe
Resource
win7-en-20211014
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DHL DOCUMENTS.exe
Resource
win10-en-20210920
0 signatures
0 seconds
General
-
Target
DHL DOCUMENTS.exe
-
Size
747KB
-
MD5
d6e6a2b12de21b77970256e539a11b20
-
SHA1
bc2d1fd49e6c8f39be63e8f9aea10faee4fa9804
-
SHA256
9621554c8727d49421880fb2870af9ba1073cfc93340a3b67a9aafa4ccac401e
-
SHA512
5459cebf51e4603d4b3395c08a02c03b96a237e11f748c7b4116f16304413f41cee79a287089edab6150bf1cd00b666ca8dd1cf0a98c326bc25df0262904ac84
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: ftp- Host:
ftp://ftp.totallyanonymous.com/ - Port:
21 - Username:
[email protected] - Password:
613t705Z
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/520-58-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/520-59-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/520-61-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/520-62-0x000000000043751E-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL DOCUMENTS.exedescription pid process target process PID 1148 set thread context of 520 1148 DHL DOCUMENTS.exe DHL DOCUMENTS.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DHL DOCUMENTS.exepid process 520 DHL DOCUMENTS.exe 520 DHL DOCUMENTS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dw20.exepid process 1472 dw20.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHL DOCUMENTS.exedescription pid process Token: SeDebugPrivilege 520 DHL DOCUMENTS.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
DHL DOCUMENTS.exeDHL DOCUMENTS.exedescription pid process target process PID 1148 wrote to memory of 520 1148 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1148 wrote to memory of 520 1148 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1148 wrote to memory of 520 1148 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1148 wrote to memory of 520 1148 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1148 wrote to memory of 520 1148 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1148 wrote to memory of 520 1148 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1148 wrote to memory of 520 1148 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1148 wrote to memory of 520 1148 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1148 wrote to memory of 520 1148 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 520 wrote to memory of 1472 520 DHL DOCUMENTS.exe dw20.exe PID 520 wrote to memory of 1472 520 DHL DOCUMENTS.exe dw20.exe PID 520 wrote to memory of 1472 520 DHL DOCUMENTS.exe dw20.exe PID 520 wrote to memory of 1472 520 DHL DOCUMENTS.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\DHL DOCUMENTS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL DOCUMENTS.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5203⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/520-56-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/520-57-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/520-58-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/520-59-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/520-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/520-62-0x000000000043751E-mapping.dmp
-
memory/520-64-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/1148-54-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB
-
memory/1148-55-0x00000000020D0000-0x00000000020D1000-memory.dmpFilesize
4KB
-
memory/1148-60-0x00000000020D1000-0x00000000020D2000-memory.dmpFilesize
4KB
-
memory/1472-65-0x0000000000000000-mapping.dmp
-
memory/1472-67-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB