Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:13
Static task
static1
Behavioral task
behavioral1
Sample
130003150.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
130003150.exe
Resource
win10v2004-20220414-en
General
-
Target
130003150.exe
-
Size
660KB
-
MD5
7a968158b9741fc52607f73b6f2a3d60
-
SHA1
08cb17546a07ebbee90681447061411efc492229
-
SHA256
c54cf445744aefec5a42006354295fd7b1adff5ba3c5d4906f7df4fa4a4076eb
-
SHA512
95892aa575bbf19f1b8da6b1d08c274cf93e6b8e2fdd318443427351a0fbac4af814192e13cac9e935a94e6e61c176019767c81b2f9aa12caea55485494c9b1c
Malware Config
Extracted
Protocol: smtp- Host:
mail.prinutrition.com - Port:
587 - Username:
[email protected] - Password:
forrest
Extracted
agenttesla
Protocol: smtp- Host:
mail.prinutrition.com - Port:
587 - Username:
[email protected] - Password:
forrest
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1988-138-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
130003150.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 130003150.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 130003150.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 130003150.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
130003150.exedescription pid process target process PID 4204 set thread context of 1988 4204 130003150.exe 130003150.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
130003150.exe130003150.exepid process 4204 130003150.exe 4204 130003150.exe 4204 130003150.exe 4204 130003150.exe 4204 130003150.exe 1988 130003150.exe 1988 130003150.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
130003150.exe130003150.exedescription pid process Token: SeDebugPrivilege 4204 130003150.exe Token: SeDebugPrivilege 1988 130003150.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
130003150.exepid process 1988 130003150.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
130003150.exedescription pid process target process PID 4204 wrote to memory of 3996 4204 130003150.exe 130003150.exe PID 4204 wrote to memory of 3996 4204 130003150.exe 130003150.exe PID 4204 wrote to memory of 3996 4204 130003150.exe 130003150.exe PID 4204 wrote to memory of 1988 4204 130003150.exe 130003150.exe PID 4204 wrote to memory of 1988 4204 130003150.exe 130003150.exe PID 4204 wrote to memory of 1988 4204 130003150.exe 130003150.exe PID 4204 wrote to memory of 1988 4204 130003150.exe 130003150.exe PID 4204 wrote to memory of 1988 4204 130003150.exe 130003150.exe PID 4204 wrote to memory of 1988 4204 130003150.exe 130003150.exe PID 4204 wrote to memory of 1988 4204 130003150.exe 130003150.exe PID 4204 wrote to memory of 1988 4204 130003150.exe 130003150.exe -
outlook_office_path 1 IoCs
Processes:
130003150.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 130003150.exe -
outlook_win_path 1 IoCs
Processes:
130003150.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 130003150.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\130003150.exe"C:\Users\Admin\AppData\Local\Temp\130003150.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\130003150.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\130003150.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1988-137-0x0000000000000000-mapping.dmp
-
memory/1988-138-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1988-139-0x0000000005F00000-0x0000000005F66000-memory.dmpFilesize
408KB
-
memory/1988-140-0x00000000066F0000-0x0000000006740000-memory.dmpFilesize
320KB
-
memory/3996-136-0x0000000000000000-mapping.dmp
-
memory/4204-130-0x00000000004B0000-0x000000000055C000-memory.dmpFilesize
688KB
-
memory/4204-131-0x0000000007970000-0x0000000007F14000-memory.dmpFilesize
5.6MB
-
memory/4204-132-0x0000000007460000-0x00000000074F2000-memory.dmpFilesize
584KB
-
memory/4204-133-0x00000000073D0000-0x00000000073DA000-memory.dmpFilesize
40KB
-
memory/4204-134-0x0000000007670000-0x00000000076D6000-memory.dmpFilesize
408KB
-
memory/4204-135-0x000000000A200000-0x000000000A29C000-memory.dmpFilesize
624KB