Analysis
-
max time kernel
103s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:03
Static task
static1
Behavioral task
behavioral1
Sample
Fwd Overdue balance request.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Fwd Overdue balance request.exe
Resource
win10v2004-20220414-en
General
-
Target
Fwd Overdue balance request.exe
-
Size
525KB
-
MD5
327e095912044c837cd14c4790b5b722
-
SHA1
f2785765bf53962850454c04b2ae9a5781dad2c3
-
SHA256
d3f1a9f5aee95facc51d611b7deeef7da85a30c028be4a3cc9cd10d0e7bf99cf
-
SHA512
29dc2737c9111bef912736b698a83e8295201317e8a062b8ec06b72ad4b4a40a0a291406e7f50e0947eeebd236bf2ced81aaf87c954ba1b7efea39c9208a9fba
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Ijeomam288
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Ijeomam288
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3136-136-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
Processes:
resource yara_rule behavioral2/memory/4608-130-0x0000000000860000-0x00000000008EA000-memory.dmp coreccc -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Fwd Overdue balance request.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fwd Overdue balance request.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fwd Overdue balance request.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fwd Overdue balance request.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Fwd Overdue balance request.exedescription pid process target process PID 4608 set thread context of 3136 4608 Fwd Overdue balance request.exe Fwd Overdue balance request.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Fwd Overdue balance request.exepid process 3136 Fwd Overdue balance request.exe 3136 Fwd Overdue balance request.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Fwd Overdue balance request.exedescription pid process Token: SeDebugPrivilege 3136 Fwd Overdue balance request.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Fwd Overdue balance request.exedescription pid process target process PID 4608 wrote to memory of 3136 4608 Fwd Overdue balance request.exe Fwd Overdue balance request.exe PID 4608 wrote to memory of 3136 4608 Fwd Overdue balance request.exe Fwd Overdue balance request.exe PID 4608 wrote to memory of 3136 4608 Fwd Overdue balance request.exe Fwd Overdue balance request.exe PID 4608 wrote to memory of 3136 4608 Fwd Overdue balance request.exe Fwd Overdue balance request.exe PID 4608 wrote to memory of 3136 4608 Fwd Overdue balance request.exe Fwd Overdue balance request.exe PID 4608 wrote to memory of 3136 4608 Fwd Overdue balance request.exe Fwd Overdue balance request.exe PID 4608 wrote to memory of 3136 4608 Fwd Overdue balance request.exe Fwd Overdue balance request.exe PID 4608 wrote to memory of 3136 4608 Fwd Overdue balance request.exe Fwd Overdue balance request.exe -
outlook_office_path 1 IoCs
Processes:
Fwd Overdue balance request.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fwd Overdue balance request.exe -
outlook_win_path 1 IoCs
Processes:
Fwd Overdue balance request.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fwd Overdue balance request.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fwd Overdue balance request.exe"C:\Users\Admin\AppData\Local\Temp\Fwd Overdue balance request.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\Fwd Overdue balance request.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3136
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3136-135-0x0000000000000000-mapping.dmp
-
memory/3136-136-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3136-137-0x00000000065B0000-0x0000000006616000-memory.dmpFilesize
408KB
-
memory/3136-138-0x0000000006C00000-0x0000000006C50000-memory.dmpFilesize
320KB
-
memory/4608-130-0x0000000000860000-0x00000000008EA000-memory.dmpFilesize
552KB
-
memory/4608-131-0x0000000005870000-0x0000000005E14000-memory.dmpFilesize
5.6MB
-
memory/4608-132-0x00000000052C0000-0x0000000005352000-memory.dmpFilesize
584KB
-
memory/4608-133-0x0000000005290000-0x000000000529A000-memory.dmpFilesize
40KB
-
memory/4608-134-0x0000000007830000-0x00000000078CC000-memory.dmpFilesize
624KB