Analysis
-
max time kernel
106s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:34
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RFQ.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
RFQ.exe
-
Size
569KB
-
MD5
105cc34e0dcb56a0bb61374f2e6eaae6
-
SHA1
5e9dc5c0907fd3d4d3d3debc923b1715881da818
-
SHA256
a4d604ac931839ec691dccc2474d80bf2f826693d4ce914a161a484288ebe20a
-
SHA512
6133b8dc30fd532d585032acf515f49dce624139411a0c1879bd10a582a104743feed8d3c71523360c0e37d4bc5cc3141c7e1f0bc98f141010a7b127a20d6384
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
challenge12345@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3148-135-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKUgjc = "C:\\Users\\Admin\\AppData\\Roaming\\LKUgjc\\LKUgjc.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ.exedescription pid process target process PID 4704 set thread context of 3148 4704 RFQ.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 3148 RegSvcs.exe 3148 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3148 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RFQ.exeRegSvcs.exedescription pid process target process PID 4704 wrote to memory of 3148 4704 RFQ.exe RegSvcs.exe PID 4704 wrote to memory of 3148 4704 RFQ.exe RegSvcs.exe PID 4704 wrote to memory of 3148 4704 RFQ.exe RegSvcs.exe PID 4704 wrote to memory of 3148 4704 RFQ.exe RegSvcs.exe PID 4704 wrote to memory of 3148 4704 RFQ.exe RegSvcs.exe PID 4704 wrote to memory of 3148 4704 RFQ.exe RegSvcs.exe PID 4704 wrote to memory of 3148 4704 RFQ.exe RegSvcs.exe PID 4704 wrote to memory of 3148 4704 RFQ.exe RegSvcs.exe PID 3148 wrote to memory of 5064 3148 RegSvcs.exe netsh.exe PID 3148 wrote to memory of 5064 3148 RegSvcs.exe netsh.exe PID 3148 wrote to memory of 5064 3148 RegSvcs.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3148-134-0x0000000000000000-mapping.dmp
-
memory/3148-135-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/3148-136-0x0000000005F00000-0x0000000005F66000-memory.dmpFilesize
408KB
-
memory/3148-137-0x00000000063E0000-0x0000000006430000-memory.dmpFilesize
320KB
-
memory/3148-139-0x0000000006620000-0x000000000662A000-memory.dmpFilesize
40KB
-
memory/4704-130-0x0000000000750000-0x00000000007E4000-memory.dmpFilesize
592KB
-
memory/4704-131-0x0000000007B30000-0x00000000080D4000-memory.dmpFilesize
5.6MB
-
memory/4704-132-0x0000000007660000-0x00000000076F2000-memory.dmpFilesize
584KB
-
memory/4704-133-0x00000000077A0000-0x000000000783C000-memory.dmpFilesize
624KB
-
memory/5064-138-0x0000000000000000-mapping.dmp