Overview

overview

10

Static

static

RFQ_600004...DF.exe

windows7_x64

10

RFQ_600004...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    24-06-2020 13:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ_6000042792.PDF.exe

  • Size

    435KB

  • MD5

    e9204b04d38a5e0f5fcce7a195e88fe7

  • SHA1

    b0b84a3f8afac504d74f75af0d252d30ce7bacdf

  • SHA256

    4988b00c252410f05a2bd1d8202739be301c54e4bbac08c4ddbb704a8d660e8d

  • SHA512

    9297da618ff863439586b19f04a0ec66b9b5f8be08703a94d727145a326e494b57c4c2e169ae9bbec19e5ff4c17899e453ca4c0194c597960ac2c6dbfbc130de

Score
10/10
spywarekeyloggertrojanstealeragenttesla

Malware Config

Signatures

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetThreadContext
    PID:684
    • C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe
      "{path}"
      2⤵
        PID:1732
      • C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe
        "{path}"
        2⤵
          PID:1832
        • C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe
          "{path}"
          2⤵
            PID:1824
          • C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe
            "{path}"
            2⤵
              PID:1836
            • C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe
              "{path}"
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious behavior: EnumeratesProcesses
              PID:1776

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Credentials in Files

          3
          T1081

          Discovery

          Lateral Movement

          Collection

          Data from Local System

          3
          T1005

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1776-0-0x0000000000400000-0x000000000044C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/1776-1-0x00000000004472DE-mapping.dmp
            Download
          • memory/1776-2-0x0000000000400000-0x000000000044C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/1776-3-0x0000000000400000-0x000000000044C000-memory.dmp
            Filesize

            304KB

            Download