Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:32
Static task
static1
Behavioral task
behavioral1
Sample
DHL Tracer.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DHL Tracer.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
DHL Tracer.exe
-
Size
476KB
-
MD5
f927ffcebf123c54c24b69a9f9f54d95
-
SHA1
e41b24b92d2888b300f2b83914b2c2c2a35da5b4
-
SHA256
098081d46fdcd470aec4d1e75d2adeb27af1e7cb8c4930ce21e3b1ea781a8df2
-
SHA512
088623d18d34cac2d73026756b38ee8d4a4de47084c4db8a8b002010e11e211f8ed4e66bf7498cd3c26731151f1dc91d71182795ac342cba59c67118f595abd7
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Mummy212
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3156-134-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKUgjc = "C:\\Users\\Admin\\AppData\\Roaming\\LKUgjc\\LKUgjc.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL Tracer.exedescription pid process target process PID 3144 set thread context of 3156 3144 DHL Tracer.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
DHL Tracer.exeRegSvcs.exepid process 3144 DHL Tracer.exe 3144 DHL Tracer.exe 3144 DHL Tracer.exe 3144 DHL Tracer.exe 3156 RegSvcs.exe 3156 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL Tracer.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3144 DHL Tracer.exe Token: SeDebugPrivilege 3156 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
DHL Tracer.exeRegSvcs.exedescription pid process target process PID 3144 wrote to memory of 1992 3144 DHL Tracer.exe RegSvcs.exe PID 3144 wrote to memory of 1992 3144 DHL Tracer.exe RegSvcs.exe PID 3144 wrote to memory of 1992 3144 DHL Tracer.exe RegSvcs.exe PID 3144 wrote to memory of 4072 3144 DHL Tracer.exe RegSvcs.exe PID 3144 wrote to memory of 4072 3144 DHL Tracer.exe RegSvcs.exe PID 3144 wrote to memory of 4072 3144 DHL Tracer.exe RegSvcs.exe PID 3144 wrote to memory of 3156 3144 DHL Tracer.exe RegSvcs.exe PID 3144 wrote to memory of 3156 3144 DHL Tracer.exe RegSvcs.exe PID 3144 wrote to memory of 3156 3144 DHL Tracer.exe RegSvcs.exe PID 3144 wrote to memory of 3156 3144 DHL Tracer.exe RegSvcs.exe PID 3144 wrote to memory of 3156 3144 DHL Tracer.exe RegSvcs.exe PID 3144 wrote to memory of 3156 3144 DHL Tracer.exe RegSvcs.exe PID 3144 wrote to memory of 3156 3144 DHL Tracer.exe RegSvcs.exe PID 3144 wrote to memory of 3156 3144 DHL Tracer.exe RegSvcs.exe PID 3156 wrote to memory of 1744 3156 RegSvcs.exe netsh.exe PID 3156 wrote to memory of 1744 3156 RegSvcs.exe netsh.exe PID 3156 wrote to memory of 1744 3156 RegSvcs.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Tracer.exe"C:\Users\Admin\AppData\Local\Temp\DHL Tracer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵PID:1992
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵PID:4072
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3156 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:1744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1744-136-0x0000000000000000-mapping.dmp
-
memory/1992-131-0x0000000000000000-mapping.dmp
-
memory/3144-130-0x00000000748F0000-0x0000000074EA1000-memory.dmpFilesize
5.7MB
-
memory/3156-133-0x0000000000000000-mapping.dmp
-
memory/3156-134-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/3156-135-0x00000000748F0000-0x0000000074EA1000-memory.dmpFilesize
5.7MB
-
memory/4072-132-0x0000000000000000-mapping.dmp