Analysis
-
max time kernel
117s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:32
Static task
static1
Behavioral task
behavioral1
Sample
DHL Tracer.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DHL Tracer.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
DHL Tracer.exe
-
Size
476KB
-
MD5
f927ffcebf123c54c24b69a9f9f54d95
-
SHA1
e41b24b92d2888b300f2b83914b2c2c2a35da5b4
-
SHA256
098081d46fdcd470aec4d1e75d2adeb27af1e7cb8c4930ce21e3b1ea781a8df2
-
SHA512
088623d18d34cac2d73026756b38ee8d4a4de47084c4db8a8b002010e11e211f8ed4e66bf7498cd3c26731151f1dc91d71182795ac342cba59c67118f595abd7
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Mummy212
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1568-59-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1568-60-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1568-61-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1568-62-0x000000000044C66E-mapping.dmp family_agenttesla behavioral1/memory/1568-64-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1568-66-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKUgjc = "C:\\Users\\Admin\\AppData\\Roaming\\LKUgjc\\LKUgjc.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL Tracer.exedescription pid process target process PID 1700 set thread context of 1568 1700 DHL Tracer.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1568 RegSvcs.exe 1568 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1568 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
DHL Tracer.exeRegSvcs.exedescription pid process target process PID 1700 wrote to memory of 1568 1700 DHL Tracer.exe RegSvcs.exe PID 1700 wrote to memory of 1568 1700 DHL Tracer.exe RegSvcs.exe PID 1700 wrote to memory of 1568 1700 DHL Tracer.exe RegSvcs.exe PID 1700 wrote to memory of 1568 1700 DHL Tracer.exe RegSvcs.exe PID 1700 wrote to memory of 1568 1700 DHL Tracer.exe RegSvcs.exe PID 1700 wrote to memory of 1568 1700 DHL Tracer.exe RegSvcs.exe PID 1700 wrote to memory of 1568 1700 DHL Tracer.exe RegSvcs.exe PID 1700 wrote to memory of 1568 1700 DHL Tracer.exe RegSvcs.exe PID 1700 wrote to memory of 1568 1700 DHL Tracer.exe RegSvcs.exe PID 1700 wrote to memory of 1568 1700 DHL Tracer.exe RegSvcs.exe PID 1700 wrote to memory of 1568 1700 DHL Tracer.exe RegSvcs.exe PID 1700 wrote to memory of 1568 1700 DHL Tracer.exe RegSvcs.exe PID 1568 wrote to memory of 1728 1568 RegSvcs.exe netsh.exe PID 1568 wrote to memory of 1728 1568 RegSvcs.exe netsh.exe PID 1568 wrote to memory of 1728 1568 RegSvcs.exe netsh.exe PID 1568 wrote to memory of 1728 1568 RegSvcs.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Tracer.exe"C:\Users\Admin\AppData\Local\Temp\DHL Tracer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1568 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:1728
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1568-56-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1568-57-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1568-59-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1568-60-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1568-61-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1568-62-0x000000000044C66E-mapping.dmp
-
memory/1568-64-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1568-66-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1568-68-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/1700-54-0x0000000075841000-0x0000000075843000-memory.dmpFilesize
8KB
-
memory/1700-55-0x0000000074720000-0x0000000074CCB000-memory.dmpFilesize
5.7MB
-
memory/1728-69-0x0000000000000000-mapping.dmp