Analysis
-
max time kernel
123s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 04:17
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
RFQ.exe
Resource
win10-en-20211014
General
-
Target
RFQ.exe
-
Size
585KB
-
MD5
e3fc0a2977f6ace1e8dcc4d170613b6e
-
SHA1
0fd7d3e125ae5971855a1ba0e204ec5ae0f4829d
-
SHA256
24e27b79291475c64e5f2a71833ac988a888e66c86d32ad5d5b20be3b7717604
-
SHA512
1b19a53b46d5a7c2d2ac7c5c3595f775f78da42e5f8ca3babf1e71406c5d990447238aea61be66c28eff0bc620fc7a5858181e4e97b2f38e694cb7b27708bef2
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.conreivestments.com - Port:
587 - Username:
[email protected] - Password:
~zi@3dw1_IqN
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2288-117-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2288-118-0x00000000004375AE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ.exedescription pid process target process PID 2508 set thread context of 2288 2508 RFQ.exe RFQ.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dw20.exepid process 1184 dw20.exe 1184 dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 1184 dw20.exe Token: SeBackupPrivilege 1184 dw20.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RFQ.exeRFQ.exedescription pid process target process PID 2508 wrote to memory of 2288 2508 RFQ.exe RFQ.exe PID 2508 wrote to memory of 2288 2508 RFQ.exe RFQ.exe PID 2508 wrote to memory of 2288 2508 RFQ.exe RFQ.exe PID 2508 wrote to memory of 2288 2508 RFQ.exe RFQ.exe PID 2508 wrote to memory of 2288 2508 RFQ.exe RFQ.exe PID 2508 wrote to memory of 2288 2508 RFQ.exe RFQ.exe PID 2508 wrote to memory of 2288 2508 RFQ.exe RFQ.exe PID 2508 wrote to memory of 2288 2508 RFQ.exe RFQ.exe PID 2288 wrote to memory of 1184 2288 RFQ.exe dw20.exe PID 2288 wrote to memory of 1184 2288 RFQ.exe dw20.exe PID 2288 wrote to memory of 1184 2288 RFQ.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7083⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RFQ.exe.logMD5
568e6f2b186c39075772d775e4189f57
SHA102f642cfdd1491b1ce69e81925ed336975e2f972
SHA256d29bbfbb510acd8716133feeade8f914076963ccc38abb4b5a64a8d32bac44e4
SHA512ef3b7f6d6b355c41ca9abb40d769622ea3f79787d8d2501ad5a135fa5cc78712175190386c8e05ee863a3bc046bc09eee22310555d31e4d57a4652f280283156
-
memory/1184-120-0x0000000000000000-mapping.dmp
-
memory/2288-117-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2288-118-0x00000000004375AE-mapping.dmp
-
memory/2288-121-0x0000000002BD0000-0x0000000002BD1000-memory.dmpFilesize
4KB
-
memory/2508-115-0x0000000002810000-0x0000000002811000-memory.dmpFilesize
4KB
-
memory/2508-116-0x0000000002812000-0x0000000002814000-memory.dmpFilesize
8KB