Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:59
Static task
static1
Behavioral task
behavioral1
Sample
GSO-1367-27072020112017.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
GSO-1367-27072020112017.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
GSO-1367-27072020112017.exe
-
Size
611KB
-
MD5
2d04103bda6d755fd47c94d6773574c1
-
SHA1
41cc7cde2fff3f79a7124545e5a449bd42db4e14
-
SHA256
8f93c794e02fbd006a5a7d2f929042819d7d5666ccb976ff248eef4dc6d2591e
-
SHA512
feb803979827b575b40b73710164cb2be368cf5800e253b1260f1afbf0eaf21b6dcb95456b1857ef7d4101dd6917a43362427bfe43765b242659958048c10e8d
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
%kHFH^!4
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4432-138-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
GSO-1367-27072020112017.exedescription pid process target process PID 1996 set thread context of 4432 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
GSO-1367-27072020112017.exeGSO-1367-27072020112017.exepid process 1996 GSO-1367-27072020112017.exe 1996 GSO-1367-27072020112017.exe 1996 GSO-1367-27072020112017.exe 1996 GSO-1367-27072020112017.exe 1996 GSO-1367-27072020112017.exe 1996 GSO-1367-27072020112017.exe 1996 GSO-1367-27072020112017.exe 1996 GSO-1367-27072020112017.exe 4432 GSO-1367-27072020112017.exe 4432 GSO-1367-27072020112017.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
GSO-1367-27072020112017.exeGSO-1367-27072020112017.exedescription pid process Token: SeDebugPrivilege 1996 GSO-1367-27072020112017.exe Token: SeDebugPrivilege 4432 GSO-1367-27072020112017.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
GSO-1367-27072020112017.exedescription pid process target process PID 1996 wrote to memory of 2576 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe PID 1996 wrote to memory of 2576 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe PID 1996 wrote to memory of 2576 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe PID 1996 wrote to memory of 3792 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe PID 1996 wrote to memory of 3792 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe PID 1996 wrote to memory of 3792 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe PID 1996 wrote to memory of 4432 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe PID 1996 wrote to memory of 4432 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe PID 1996 wrote to memory of 4432 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe PID 1996 wrote to memory of 4432 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe PID 1996 wrote to memory of 4432 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe PID 1996 wrote to memory of 4432 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe PID 1996 wrote to memory of 4432 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe PID 1996 wrote to memory of 4432 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GSO-1367-27072020112017.exe"C:\Users\Admin\AppData\Local\Temp\GSO-1367-27072020112017.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\GSO-1367-27072020112017.exe"{path}"2⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\GSO-1367-27072020112017.exe"{path}"2⤵PID:3792
-
C:\Users\Admin\AppData\Local\Temp\GSO-1367-27072020112017.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1996-130-0x00000000007C0000-0x000000000085E000-memory.dmpFilesize
632KB
-
memory/1996-131-0x00000000057D0000-0x0000000005D74000-memory.dmpFilesize
5.6MB
-
memory/1996-132-0x00000000052C0000-0x0000000005352000-memory.dmpFilesize
584KB
-
memory/1996-133-0x00000000051F0000-0x00000000051FA000-memory.dmpFilesize
40KB
-
memory/1996-134-0x000000000E5E0000-0x000000000E67C000-memory.dmpFilesize
624KB
-
memory/2576-135-0x0000000000000000-mapping.dmp
-
memory/3792-136-0x0000000000000000-mapping.dmp
-
memory/4432-137-0x0000000000000000-mapping.dmp
-
memory/4432-138-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4432-139-0x0000000005960000-0x00000000059C6000-memory.dmpFilesize
408KB