Analysis
-
max time kernel
89s -
max time network
123s -
platform
windows10_x64 -
resource
win10 -
submitted
29-06-2020 19:22
Static task
static1
Behavioral task
behavioral1
Sample
CONTENEDOR DE COMPRA.pdf.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
CONTENEDOR DE COMPRA.pdf.exe
Resource
win10
General
-
Target
CONTENEDOR DE COMPRA.pdf.exe
-
Size
443KB
-
MD5
72ed8d80ded5c6f7044fafa1a67f9e47
-
SHA1
9fbdf68bfa4f708a1b1b9f6ba04800fc524158a3
-
SHA256
7f9d61cafc1ba6c3438d0627ca782cb90ee750d9ae39aa7e57661dea0f7bd5c7
-
SHA512
41649e306b59990ff62d5046d568ccabc8152ff97df2693fc895f340e87f643013f943883033e4cad04e842edf44242ad6c099caf89203fca76a549daec4e0a9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.trademaxperu.com - Port:
587 - Username:
potbelly_ugonna@trademaxperu.com - Password:
icui4cu2@@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3872-1-0x00000000004476AE-mapping.dmp family_agenttesla behavioral2/memory/3872-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
CONTENEDOR DE COMPRA.pdf.exedescription pid process target process PID 3104 set thread context of 3872 3104 CONTENEDOR DE COMPRA.pdf.exe CONTENEDOR DE COMPRA.pdf.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CONTENEDOR DE COMPRA.pdf.exepid process 3872 CONTENEDOR DE COMPRA.pdf.exe 3872 CONTENEDOR DE COMPRA.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CONTENEDOR DE COMPRA.pdf.exedescription pid process Token: SeDebugPrivilege 3872 CONTENEDOR DE COMPRA.pdf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
CONTENEDOR DE COMPRA.pdf.exedescription pid process target process PID 3104 wrote to memory of 3872 3104 CONTENEDOR DE COMPRA.pdf.exe CONTENEDOR DE COMPRA.pdf.exe PID 3104 wrote to memory of 3872 3104 CONTENEDOR DE COMPRA.pdf.exe CONTENEDOR DE COMPRA.pdf.exe PID 3104 wrote to memory of 3872 3104 CONTENEDOR DE COMPRA.pdf.exe CONTENEDOR DE COMPRA.pdf.exe PID 3104 wrote to memory of 3872 3104 CONTENEDOR DE COMPRA.pdf.exe CONTENEDOR DE COMPRA.pdf.exe PID 3104 wrote to memory of 3872 3104 CONTENEDOR DE COMPRA.pdf.exe CONTENEDOR DE COMPRA.pdf.exe PID 3104 wrote to memory of 3872 3104 CONTENEDOR DE COMPRA.pdf.exe CONTENEDOR DE COMPRA.pdf.exe PID 3104 wrote to memory of 3872 3104 CONTENEDOR DE COMPRA.pdf.exe CONTENEDOR DE COMPRA.pdf.exe PID 3104 wrote to memory of 3872 3104 CONTENEDOR DE COMPRA.pdf.exe CONTENEDOR DE COMPRA.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CONTENEDOR DE COMPRA.pdf.exe"C:\Users\Admin\AppData\Local\Temp\CONTENEDOR DE COMPRA.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CONTENEDOR DE COMPRA.pdf.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CONTENEDOR DE COMPRA.pdf.exe.logMD5
ef140ef600b2463c9e7dbf064a104046
SHA1c08fd1853877be95575ea2e860dd8cafef31f54c
SHA256ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616
SHA512bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c
-
memory/3872-1-0x00000000004476AE-mapping.dmp
-
memory/3872-0-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB