Analysis
-
max time kernel
116s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:14
Static task
static1
Behavioral task
behavioral1
Sample
ORDER_DA.scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ORDER_DA.scr
Resource
win10v2004-20220414-en
General
-
Target
ORDER_DA.scr
-
Size
579KB
-
MD5
f6aba9195644c0b69efff06ecf23e6c4
-
SHA1
fb76eb813b4e072d68ffe2916a578d14cf845824
-
SHA256
03fc6fb46457641645117a9c29292069714568ff711647455c70769d7ab3485a
-
SHA512
3f4d8bfd0dd0104b3d48df9201b1a7628a326b43a8467b3830f002a799d7ada0288d46281c57126d5ddee93a0adb16e3577797ba80104333e55af3e66a1cf7c7
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1392-59-0x00000000048E0000-0x000000000492C000-memory.dmp family_agenttesla -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1392-58-0x00000000045A0000-0x00000000045F4000-memory.dmp rezer0 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ORDER_DA.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDER_DA.scr Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDER_DA.scr Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDER_DA.scr -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ORDER_DA.scrpid process 1392 ORDER_DA.scr 1392 ORDER_DA.scr 1392 ORDER_DA.scr 1392 ORDER_DA.scr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ORDER_DA.scrdescription pid process Token: SeDebugPrivilege 1392 ORDER_DA.scr -
outlook_office_path 1 IoCs
Processes:
ORDER_DA.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDER_DA.scr -
outlook_win_path 1 IoCs
Processes:
ORDER_DA.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDER_DA.scr
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1392-54-0x0000000000C90000-0x0000000000D28000-memory.dmpFilesize
608KB
-
memory/1392-55-0x0000000000B00000-0x0000000000B5C000-memory.dmpFilesize
368KB
-
memory/1392-56-0x0000000075951000-0x0000000075953000-memory.dmpFilesize
8KB
-
memory/1392-57-0x0000000000A80000-0x0000000000A88000-memory.dmpFilesize
32KB
-
memory/1392-58-0x00000000045A0000-0x00000000045F4000-memory.dmpFilesize
336KB
-
memory/1392-59-0x00000000048E0000-0x000000000492C000-memory.dmpFilesize
304KB