Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
01-12-2021 16:33
Static task
static1
Behavioral task
behavioral1
Sample
TRANSFER SLIP.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
TRANSFER SLIP.exe
Resource
win10-en-20211014
General
-
Target
TRANSFER SLIP.exe
-
Size
488KB
-
MD5
7013a024b99d8e32f3559117f3a89b9d
-
SHA1
d0eb94f6f86631be9a82a77508acd8bcf66941b9
-
SHA256
31ead0a4244133d6fb9387ff1490db83b9fd2dd6666fcd2897c4b1e72c5bf665
-
SHA512
2f37a1dc97e2a9eefd0b87c8dfa6ab34dcbe61bff9bc5ea351a46c399e230132166ed231910d32178fc96162d5033dfc8373c553de564ec221543a5009df4cf4
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.framafilms.com - Port:
587 - Username:
[email protected] - Password:
lister11
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1064-66-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1064-67-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1064-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1064-69-0x00000000004374AE-mapping.dmp family_agenttesla behavioral1/memory/1064-70-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
TRANSFER SLIP.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TRANSFER SLIP.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TRANSFER SLIP.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TRANSFER SLIP.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TRANSFER SLIP.exedescription pid process target process PID 1200 set thread context of 1064 1200 TRANSFER SLIP.exe TRANSFER SLIP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
TRANSFER SLIP.exepid process 1064 TRANSFER SLIP.exe 1064 TRANSFER SLIP.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TRANSFER SLIP.exedescription pid process Token: SeDebugPrivilege 1064 TRANSFER SLIP.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
TRANSFER SLIP.exedescription pid process target process PID 1200 wrote to memory of 620 1200 TRANSFER SLIP.exe schtasks.exe PID 1200 wrote to memory of 620 1200 TRANSFER SLIP.exe schtasks.exe PID 1200 wrote to memory of 620 1200 TRANSFER SLIP.exe schtasks.exe PID 1200 wrote to memory of 620 1200 TRANSFER SLIP.exe schtasks.exe PID 1200 wrote to memory of 1064 1200 TRANSFER SLIP.exe TRANSFER SLIP.exe PID 1200 wrote to memory of 1064 1200 TRANSFER SLIP.exe TRANSFER SLIP.exe PID 1200 wrote to memory of 1064 1200 TRANSFER SLIP.exe TRANSFER SLIP.exe PID 1200 wrote to memory of 1064 1200 TRANSFER SLIP.exe TRANSFER SLIP.exe PID 1200 wrote to memory of 1064 1200 TRANSFER SLIP.exe TRANSFER SLIP.exe PID 1200 wrote to memory of 1064 1200 TRANSFER SLIP.exe TRANSFER SLIP.exe PID 1200 wrote to memory of 1064 1200 TRANSFER SLIP.exe TRANSFER SLIP.exe PID 1200 wrote to memory of 1064 1200 TRANSFER SLIP.exe TRANSFER SLIP.exe PID 1200 wrote to memory of 1064 1200 TRANSFER SLIP.exe TRANSFER SLIP.exe -
outlook_office_path 1 IoCs
Processes:
TRANSFER SLIP.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TRANSFER SLIP.exe -
outlook_win_path 1 IoCs
Processes:
TRANSFER SLIP.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TRANSFER SLIP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TRANSFER SLIP.exe"C:\Users\Admin\AppData\Local\Temp\TRANSFER SLIP.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yvaSBtNNzYqZUt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7291.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\TRANSFER SLIP.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7291.tmpMD5
6e7c63e5331dc434bce1aed7d9865bea
SHA1ae4af7be240d8ceccf22601a700a227092fb0c14
SHA25669fd3d0184be99d8f8df0cff4c01e2412dba38eb0039619f2a276a5334d90f39
SHA512fb2df562bc6fe913e700b8cccbcce47a7708b8b6649e60808054931c8bb29d597ca371f0b6f9690ee6c867abaf74b3296c2a5b0ea0c221943163db44d64b5406
-
memory/620-62-0x0000000000000000-mapping.dmp
-
memory/1064-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1064-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1064-73-0x00000000047B1000-0x00000000047B2000-memory.dmpFilesize
4KB
-
memory/1064-72-0x00000000047B0000-0x00000000047B1000-memory.dmpFilesize
4KB
-
memory/1064-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1064-69-0x00000000004374AE-mapping.dmp
-
memory/1064-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1064-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1064-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1200-58-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/1200-55-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/1200-57-0x0000000075851000-0x0000000075853000-memory.dmpFilesize
8KB
-
memory/1200-59-0x0000000000430000-0x0000000000435000-memory.dmpFilesize
20KB
-
memory/1200-61-0x0000000000950000-0x0000000000988000-memory.dmpFilesize
224KB
-
memory/1200-60-0x00000000051A0000-0x000000000521D000-memory.dmpFilesize
500KB