Analysis
-
max time kernel
78s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 10:53
Static task
static1
Behavioral task
behavioral1
Sample
2020 Shipment details.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2020 Shipment details.exe
Resource
win10v2004-20220414-en
General
-
Target
2020 Shipment details.exe
-
Size
636KB
-
MD5
cfe84f4681713fdc9aada7c5b6331dd0
-
SHA1
cc5820940c73f1ee6c7f95c48a80f13f7cd84dbe
-
SHA256
4ec6d85f82f9d0874d740c3fa5b94c800e25b5dcd05b63135f6da92a8644d70e
-
SHA512
f922fd47b0d8e7d4f6c66585a2c5b557c051200c6ec47ea6a829ed2ba453ffa68b335d24ee08369d5da69fa33f0f6acdc653602d07c135b475c4e3bfd05a132b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.acroative.com - Port:
587 - Username:
[email protected] - Password:
onegod5050()
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1352-58-0x00000000002D0000-0x0000000000320000-memory.dmp family_agenttesla behavioral1/memory/1352-57-0x00000000002D0000-0x0000000000320000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
2020 Shipment details.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2020 Shipment details.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2020 Shipment details.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2020 Shipment details.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2020 Shipment details.exedescription pid process target process PID 2000 set thread context of 1352 2000 2020 Shipment details.exe 2020 Shipment details.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
2020 Shipment details.exe2020 Shipment details.exepid process 2000 2020 Shipment details.exe 1352 2020 Shipment details.exe 1352 2020 Shipment details.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
2020 Shipment details.exepid process 2000 2020 Shipment details.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2020 Shipment details.exedescription pid process Token: SeDebugPrivilege 1352 2020 Shipment details.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2020 Shipment details.exe2020 Shipment details.exedescription pid process target process PID 2000 wrote to memory of 1352 2000 2020 Shipment details.exe 2020 Shipment details.exe PID 2000 wrote to memory of 1352 2000 2020 Shipment details.exe 2020 Shipment details.exe PID 2000 wrote to memory of 1352 2000 2020 Shipment details.exe 2020 Shipment details.exe PID 2000 wrote to memory of 1352 2000 2020 Shipment details.exe 2020 Shipment details.exe PID 1352 wrote to memory of 460 1352 2020 Shipment details.exe netsh.exe PID 1352 wrote to memory of 460 1352 2020 Shipment details.exe netsh.exe PID 1352 wrote to memory of 460 1352 2020 Shipment details.exe netsh.exe PID 1352 wrote to memory of 460 1352 2020 Shipment details.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
2020 Shipment details.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2020 Shipment details.exe -
outlook_win_path 1 IoCs
Processes:
2020 Shipment details.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2020 Shipment details.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2020 Shipment details.exe"C:\Users\Admin\AppData\Local\Temp\2020 Shipment details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\2020 Shipment details.exe"C:\Users\Admin\AppData\Local\Temp\2020 Shipment details.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1352 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/460-61-0x0000000000000000-mapping.dmp
-
memory/1352-55-0x00000000004AADC0-mapping.dmp
-
memory/1352-58-0x00000000002D0000-0x0000000000320000-memory.dmpFilesize
320KB
-
memory/1352-57-0x00000000002D0000-0x0000000000320000-memory.dmpFilesize
320KB
-
memory/1352-60-0x00000000746F0000-0x0000000074C9B000-memory.dmpFilesize
5.7MB
-
memory/2000-54-0x0000000075221000-0x0000000075223000-memory.dmpFilesize
8KB
-
memory/2000-56-0x00000000004B0000-0x00000000004B9000-memory.dmpFilesize
36KB