Analysis
-
max time kernel
150s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:39
Static task
static1
Behavioral task
behavioral1
Sample
FALCOR PO .NO.FEC87257ADM20.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
FALCOR PO .NO.FEC87257ADM20.exe
Resource
win10v2004-20220414-en
General
-
Target
FALCOR PO .NO.FEC87257ADM20.exe
-
Size
398KB
-
MD5
02c7ba4e15c96f667bf893f24d209e1d
-
SHA1
c14348d9407f32948b91be9d3df50862fb4ffdb9
-
SHA256
bee57d303281d0b8e2e681015ab7e1ac8c82972328c4f43350b20cc3a0999f21
-
SHA512
48d23708e14a0fbe1e7eec34436f8204e7906f62bd8cc5bc756cb3b6529aca1b8328dcf682e389fdcdf48ef8fb2b534e35a35b01fe573248d66eb64037556d5e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
admin2214
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/812-64-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/812-65-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/812-66-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/812-67-0x000000000044B8FE-mapping.dmp family_agenttesla behavioral1/memory/812-70-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/812-72-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
FALCOR PO .NO.FEC87257ADM20.exepid process 812 FALCOR PO .NO.FEC87257ADM20.exe -
Drops startup file 2 IoCs
Processes:
FALCOR PO .NO.FEC87257ADM20.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe FALCOR PO .NO.FEC87257ADM20.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe FALCOR PO .NO.FEC87257ADM20.exe -
Loads dropped DLL 1 IoCs
Processes:
FALCOR PO .NO.FEC87257ADM20.exepid process 1356 FALCOR PO .NO.FEC87257ADM20.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
FALCOR PO .NO.FEC87257ADM20.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FALCOR PO .NO.FEC87257ADM20.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FALCOR PO .NO.FEC87257ADM20.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FALCOR PO .NO.FEC87257ADM20.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FALCOR PO .NO.FEC87257ADM20.exedescription pid process target process PID 1356 set thread context of 812 1356 FALCOR PO .NO.FEC87257ADM20.exe FALCOR PO .NO.FEC87257ADM20.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
FALCOR PO .NO.FEC87257ADM20.exeFALCOR PO .NO.FEC87257ADM20.exepid process 1356 FALCOR PO .NO.FEC87257ADM20.exe 1356 FALCOR PO .NO.FEC87257ADM20.exe 1356 FALCOR PO .NO.FEC87257ADM20.exe 1356 FALCOR PO .NO.FEC87257ADM20.exe 1356 FALCOR PO .NO.FEC87257ADM20.exe 1356 FALCOR PO .NO.FEC87257ADM20.exe 1356 FALCOR PO .NO.FEC87257ADM20.exe 1356 FALCOR PO .NO.FEC87257ADM20.exe 1356 FALCOR PO .NO.FEC87257ADM20.exe 1356 FALCOR PO .NO.FEC87257ADM20.exe 812 FALCOR PO .NO.FEC87257ADM20.exe 812 FALCOR PO .NO.FEC87257ADM20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
FALCOR PO .NO.FEC87257ADM20.exeFALCOR PO .NO.FEC87257ADM20.exedescription pid process Token: SeDebugPrivilege 1356 FALCOR PO .NO.FEC87257ADM20.exe Token: SeDebugPrivilege 812 FALCOR PO .NO.FEC87257ADM20.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
FALCOR PO .NO.FEC87257ADM20.exedescription pid process target process PID 1356 wrote to memory of 812 1356 FALCOR PO .NO.FEC87257ADM20.exe FALCOR PO .NO.FEC87257ADM20.exe PID 1356 wrote to memory of 812 1356 FALCOR PO .NO.FEC87257ADM20.exe FALCOR PO .NO.FEC87257ADM20.exe PID 1356 wrote to memory of 812 1356 FALCOR PO .NO.FEC87257ADM20.exe FALCOR PO .NO.FEC87257ADM20.exe PID 1356 wrote to memory of 812 1356 FALCOR PO .NO.FEC87257ADM20.exe FALCOR PO .NO.FEC87257ADM20.exe PID 1356 wrote to memory of 812 1356 FALCOR PO .NO.FEC87257ADM20.exe FALCOR PO .NO.FEC87257ADM20.exe PID 1356 wrote to memory of 812 1356 FALCOR PO .NO.FEC87257ADM20.exe FALCOR PO .NO.FEC87257ADM20.exe PID 1356 wrote to memory of 812 1356 FALCOR PO .NO.FEC87257ADM20.exe FALCOR PO .NO.FEC87257ADM20.exe PID 1356 wrote to memory of 812 1356 FALCOR PO .NO.FEC87257ADM20.exe FALCOR PO .NO.FEC87257ADM20.exe PID 1356 wrote to memory of 812 1356 FALCOR PO .NO.FEC87257ADM20.exe FALCOR PO .NO.FEC87257ADM20.exe -
outlook_office_path 1 IoCs
Processes:
FALCOR PO .NO.FEC87257ADM20.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FALCOR PO .NO.FEC87257ADM20.exe -
outlook_win_path 1 IoCs
Processes:
FALCOR PO .NO.FEC87257ADM20.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FALCOR PO .NO.FEC87257ADM20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FALCOR PO .NO.FEC87257ADM20.exe"C:\Users\Admin\AppData\Local\Temp\FALCOR PO .NO.FEC87257ADM20.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\FALCOR PO .NO.FEC87257ADM20.exe"C:\Users\Admin\AppData\Local\Temp\FALCOR PO .NO.FEC87257ADM20.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FALCOR PO .NO.FEC87257ADM20.exeFilesize
398KB
MD502c7ba4e15c96f667bf893f24d209e1d
SHA1c14348d9407f32948b91be9d3df50862fb4ffdb9
SHA256bee57d303281d0b8e2e681015ab7e1ac8c82972328c4f43350b20cc3a0999f21
SHA51248d23708e14a0fbe1e7eec34436f8204e7906f62bd8cc5bc756cb3b6529aca1b8328dcf682e389fdcdf48ef8fb2b534e35a35b01fe573248d66eb64037556d5e
-
\Users\Admin\AppData\Local\Temp\FALCOR PO .NO.FEC87257ADM20.exeFilesize
398KB
MD502c7ba4e15c96f667bf893f24d209e1d
SHA1c14348d9407f32948b91be9d3df50862fb4ffdb9
SHA256bee57d303281d0b8e2e681015ab7e1ac8c82972328c4f43350b20cc3a0999f21
SHA51248d23708e14a0fbe1e7eec34436f8204e7906f62bd8cc5bc756cb3b6529aca1b8328dcf682e389fdcdf48ef8fb2b534e35a35b01fe573248d66eb64037556d5e
-
memory/812-67-0x000000000044B8FE-mapping.dmp
-
memory/812-65-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/812-72-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/812-70-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/812-66-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/812-61-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/812-62-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/812-64-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1356-56-0x00000000041B0000-0x00000000041FC000-memory.dmpFilesize
304KB
-
memory/1356-57-0x0000000075361000-0x0000000075363000-memory.dmpFilesize
8KB
-
memory/1356-54-0x0000000000010000-0x000000000007A000-memory.dmpFilesize
424KB
-
memory/1356-55-0x00000000006A0000-0x00000000006A8000-memory.dmpFilesize
32KB
-
memory/1356-59-0x0000000002050000-0x0000000002064000-memory.dmpFilesize
80KB
-
memory/1356-58-0x0000000002020000-0x0000000002036000-memory.dmpFilesize
88KB