Overview

overview

10

Static

static

Factura pendiente.exe

windows7_x64

10

Factura pendiente.exe

windows10_x64

3

Analysis

  • max time kernel
    121s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    24-06-2020 13:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Factura pendiente.exe

  • Size

    512KB

  • MD5

    85a206115a80d17c60affe071a0358a3

  • SHA1

    8bf88e4e27ed28b6ea14066ec9b53582ee29476a

  • SHA256

    fb72ce99cc2d45f842ac5cd6e4e3aeb1b9e66e4fea75b4edfd57ce9a8d3223ca

  • SHA512

    62ba4aca9df5000f4f55cfacb2f1becbb2277491d45958044836d2f7cf35fcc33dffe149e6d1a8f18154fd4d67425ffff657e689fcbac04acdccb3bd46e47f46

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Factura pendiente.exe
    "C:\Users\Admin\AppData\Local\Temp\Factura pendiente.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pDxmcfQON" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE426.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE426.tmp
    MD5

    3d38b2fda3975dba18f7c0dd8a10a325

    SHA1

    f9215e90585b3df2df8a26e43889990892527400

    SHA256

    081872672be3878a0ef6cb9e152aa9312244cd23481278dcd5aaf646b0ad1de6

    SHA512

    d4cb1de4c49362b401e1e89fa878e78a3685445dce3d60726301239ec0193da1fa079304ea3e575d3700b7a8e1d5a4a5965e9268a7026543075d30070bc42036

    Download Submit
  • memory/1060-1-0x0000000000000000-0x0000000000000000-disk.dmp
    Download
  • memory/1892-2-0x0000000000000000-mapping.dmp
    Download