Analysis
-
max time kernel
50s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 10:55
Static task
static1
Behavioral task
behavioral1
Sample
Machine PO3742020.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Machine PO3742020.exe
Resource
win10v2004-20220414-en
General
-
Target
Machine PO3742020.exe
-
Size
933KB
-
MD5
7c4973893485e12e5cc3a888d42b8518
-
SHA1
21f6a5344a658ae2e79415f086d7663673e2d3c8
-
SHA256
5ebbf9654d1eeecb0f4b71e3253d1420c131277d93af9a47150b9f631958fd8d
-
SHA512
9fc1ddca8381913e5432611eefbe69375a4df9a425a9ea21304500047ef24c42cb7d0437b3010835a0fa401d932f711a86d8a38c4f058f98b79d4dbcbe8d8596
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.radarcncs.com/ - Port:
21 - Username:
[email protected] - Password:
8,4=M~_i,5NV
Protocol: ftp- Host:
ftp://ftp.radarcncs.com/ - Port:
21 - Username:
[email protected] - Password:
8,4=M~_i,5NV
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1736-60-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\newapp = "C:\\Users\\Admin\\AppData\\Roaming\\newapp\\newapp.exe" RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Machine PO3742020.exedescription pid process target process PID 1812 set thread context of 1736 1812 Machine PO3742020.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 1736 RegAsm.exe 1736 RegAsm.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Machine PO3742020.exepid process 1812 Machine PO3742020.exe 1812 Machine PO3742020.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1736 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 1736 RegAsm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Machine PO3742020.exedescription pid process target process PID 1812 wrote to memory of 1232 1812 Machine PO3742020.exe RegAsm.exe PID 1812 wrote to memory of 1232 1812 Machine PO3742020.exe RegAsm.exe PID 1812 wrote to memory of 1232 1812 Machine PO3742020.exe RegAsm.exe PID 1812 wrote to memory of 1232 1812 Machine PO3742020.exe RegAsm.exe PID 1812 wrote to memory of 1232 1812 Machine PO3742020.exe RegAsm.exe PID 1812 wrote to memory of 1232 1812 Machine PO3742020.exe RegAsm.exe PID 1812 wrote to memory of 1232 1812 Machine PO3742020.exe RegAsm.exe PID 1812 wrote to memory of 1736 1812 Machine PO3742020.exe RegAsm.exe PID 1812 wrote to memory of 1736 1812 Machine PO3742020.exe RegAsm.exe PID 1812 wrote to memory of 1736 1812 Machine PO3742020.exe RegAsm.exe PID 1812 wrote to memory of 1736 1812 Machine PO3742020.exe RegAsm.exe PID 1812 wrote to memory of 1736 1812 Machine PO3742020.exe RegAsm.exe PID 1812 wrote to memory of 1736 1812 Machine PO3742020.exe RegAsm.exe PID 1812 wrote to memory of 1736 1812 Machine PO3742020.exe RegAsm.exe PID 1812 wrote to memory of 1736 1812 Machine PO3742020.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Machine PO3742020.exe"C:\Users\Admin\AppData\Local\Temp\Machine PO3742020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1736-58-0x00000000004610DE-mapping.dmp
-
memory/1736-60-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1812-54-0x0000000000310000-0x0000000000400000-memory.dmpFilesize
960KB
-
memory/1812-55-0x0000000005330000-0x000000000539E000-memory.dmpFilesize
440KB
-
memory/1812-56-0x00000000755C1000-0x00000000755C3000-memory.dmpFilesize
8KB
-
memory/1812-57-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB