Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 13:33
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_6000042792.PDF.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
RFQ_6000042792.PDF.exe
Resource
win10
General
-
Target
RFQ_6000042792.PDF.exe
-
Size
435KB
-
MD5
e9204b04d38a5e0f5fcce7a195e88fe7
-
SHA1
b0b84a3f8afac504d74f75af0d252d30ce7bacdf
-
SHA256
4988b00c252410f05a2bd1d8202739be301c54e4bbac08c4ddbb704a8d660e8d
-
SHA512
9297da618ff863439586b19f04a0ec66b9b5f8be08703a94d727145a326e494b57c4c2e169ae9bbec19e5ff4c17899e453ca4c0194c597960ac2c6dbfbc130de
Malware Config
Extracted
Protocol: smtp- Host:
smtp.portsen.com - Port:
587 - Username:
bnno@portsen.com - Password:
Nkhp*pE1
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ_6000042792.PDF.exeRFQ_6000042792.PDF.exedescription pid process Token: SeDebugPrivilege 3888 RFQ_6000042792.PDF.exe Token: SeDebugPrivilege 3484 RFQ_6000042792.PDF.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RFQ_6000042792.PDF.exepid process 3484 RFQ_6000042792.PDF.exe 3484 RFQ_6000042792.PDF.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
RFQ_6000042792.PDF.exedescription pid process target process PID 3888 wrote to memory of 3484 3888 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 3888 wrote to memory of 3484 3888 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 3888 wrote to memory of 3484 3888 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 3888 wrote to memory of 3484 3888 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 3888 wrote to memory of 3484 3888 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 3888 wrote to memory of 3484 3888 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 3888 wrote to memory of 3484 3888 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe PID 3888 wrote to memory of 3484 3888 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ_6000042792.PDF.exedescription pid process target process PID 3888 set thread context of 3484 3888 RFQ_6000042792.PDF.exe RFQ_6000042792.PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\RFQ_6000042792.PDF.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses