Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe
Resource
win10
General
-
Target
DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe
-
Size
1.4MB
-
MD5
5fe333e1a731213b8b761cfa114a4c24
-
SHA1
c0eef045d92eac31b471e3e80abc1591088ada0b
-
SHA256
b6be0879f87f35a6f4c27d1666cf8e183427e868944e6a23d035a13b6208dfb6
-
SHA512
ee1dec45423c9c276add252c6f37270e356edc99bf27501b7ddaefeb78056dd5fcae5b55cdf19355b06bf19c9fba5ef33d38780a6d58933737be3f099015307a
Malware Config
Extracted
Protocol: ftp- Host:
ftp.kassohome.com.tr - Port:
21 - Username:
Ernest2020@kassohome.com.tr - Password:
jN9DaHjY3SiU
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
DETALLES DE SEGUIMIENTO DE FedEx-pdf.exepid process 3844 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe 3844 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe 3844 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
DETALLES DE SEGUIMIENTO DE FedEx-pdf.exeMSBuild.exedescription pid process target process PID 3844 wrote to memory of 3952 3844 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe MSBuild.exe PID 3844 wrote to memory of 3952 3844 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe MSBuild.exe PID 3844 wrote to memory of 3952 3844 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe MSBuild.exe PID 3844 wrote to memory of 3952 3844 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe MSBuild.exe PID 3844 wrote to memory of 3952 3844 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe MSBuild.exe PID 3952 wrote to memory of 748 3952 MSBuild.exe netsh.exe PID 3952 wrote to memory of 748 3952 MSBuild.exe netsh.exe PID 3952 wrote to memory of 748 3952 MSBuild.exe netsh.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DETALLES DE SEGUIMIENTO DE FedEx-pdf.exedescription pid process target process PID 3844 set thread context of 3952 3844 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3952 MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 3952 MSBuild.exe 3952 MSBuild.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
DETALLES DE SEGUIMIENTO DE FedEx-pdf.exepid process 3844 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe 3844 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe 3844 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe"C:\Users\Admin\AppData\Local\Temp\DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵