Overview

overview

10

Static

static

Facturas P...to.exe

windows7_x64

10

Facturas P...to.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    07/07/2020, 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Facturas Pagadas al Vencimiento.exe

  • Size

    518KB

  • MD5

    074510c3e8e9d5a64c7aa933145e393d

  • SHA1

    03f4a405338487940c97b2570660fb8b250720b8

  • SHA256

    9a0308caa25c2ae09ef34859b8bddfef34bc4d95581b751222fdc9b1d9e22d16

  • SHA512

    4f4b40be129dba5c66d1c8131a04e7fc09ab8acbbea6ffbcd0a1636901ba3b5f8d0571e71cce1432021c65005ab0c771d9777f782b8c35091f6a3e454830f762

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.gascuenca.es
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    gasW203@Z7

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.gascuenca.es
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    gasW203@Z7

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas al Vencimiento.exe
    "C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas al Vencimiento.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas al Vencimiento.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3840
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" wlan show profile
        3⤵
          PID:3144

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3840-0-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download