Overview

overview

10

Static

static

CMA-Inquir...20.exe

windows7_x64

10

CMA-Inquir...20.exe

windows10_x64

3

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    09-07-2020 06:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CMA-Inquiry DA39-RFQ-Urgent order-07820.exe

  • Size

    952KB

  • MD5

    7e8eedd86f24f4e63ed26ff677162e75

  • SHA1

    e9a7b4c02a2f2916a3604a417af65260e33436a4

  • SHA256

    bb44a88339e83bc2ecbd06edef1acf6c54e66c4c4922005a67c27f970f717075

  • SHA512

    f16624dd72c63bb944d45c25c80a6ed6d8400e994e852db3879602b3107dd3e09dd7d1c5c893598f0d64f15bd98828bc7e67a48ee91943e833e13324d0d016c3

Score
10/10
agentteslaformbookkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.mansiobok2.info/ns424/

Decoy

loginaccount-secure.com

roadside-web.com

lovelydays.info

mariotime.com

toursmundialrusia.com

confidentbeauty.tips

duongtinhot24h.com

wcw.info

rabatte.click

xn--2nyy10g.biz

botuzm.net

galebplast.com

mahony-diet.com

3ctoken.com

mantispeed.com

withyou-cm.com

rightwebmarketing.com

pksbarandgrill.net

systemscan12.top

velinablog.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • AgentTesla Payload 4 IoCs
  • Formbook Payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\CMA-Inquiry DA39-RFQ-Urgent order-07820.exe
      "C:\Users\Admin\AppData\Local\Temp\CMA-Inquiry DA39-RFQ-Urgent order-07820.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Users\Admin\Documents\NELLYORIBIN.exe
        "C:\Users\Admin\Documents\NELLYORIBIN.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1016
      • C:\Users\Admin\AppData\Local\Temp\CMA-Inquiry DA39-RFQ-Urgent order-07820.exe
        "C:\Users\Admin\AppData\Local\Temp\CMA-Inquiry DA39-RFQ-Urgent order-07820.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:580
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:284
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\CMA-Inquiry DA39-RFQ-Urgent order-07820.exe"
        3⤵
        • Deletes itself
        PID:1096

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\NELLYORIBIN.exe
    MD5

    d8fe0929e3699d59e8d8a2d677dbe863

    SHA1

    a253d625f69b1f537f2deefe2a51d80999686bd2

    SHA256

    7cd4dc47ff59ffc6fc42ae75f2d16376a0966c4e3608d411fa2d68b6f816ab43

    SHA512

    5f262d26f8733b49ab70c9139e13636583ac8254ba37e1ebeb01cf0ecc6aca4fab866e9c61ee1295073d37118e8da98ef9c394ac94471d6b81e8417d6ac9d0ab

    Download Submit

  • C:\Users\Admin\Documents\NELLYORIBIN.exe
    MD5

    d8fe0929e3699d59e8d8a2d677dbe863

    SHA1

    a253d625f69b1f537f2deefe2a51d80999686bd2

    SHA256

    7cd4dc47ff59ffc6fc42ae75f2d16376a0966c4e3608d411fa2d68b6f816ab43

    SHA512

    5f262d26f8733b49ab70c9139e13636583ac8254ba37e1ebeb01cf0ecc6aca4fab866e9c61ee1295073d37118e8da98ef9c394ac94471d6b81e8417d6ac9d0ab

    Download Submit

  • \Users\Admin\Documents\NELLYORIBIN.exe
    MD5

    d8fe0929e3699d59e8d8a2d677dbe863

    SHA1

    a253d625f69b1f537f2deefe2a51d80999686bd2

    SHA256

    7cd4dc47ff59ffc6fc42ae75f2d16376a0966c4e3608d411fa2d68b6f816ab43

    SHA512

    5f262d26f8733b49ab70c9139e13636583ac8254ba37e1ebeb01cf0ecc6aca4fab866e9c61ee1295073d37118e8da98ef9c394ac94471d6b81e8417d6ac9d0ab

    Download Submit

  • \Users\Admin\Documents\NELLYORIBIN.exe
    MD5

    d8fe0929e3699d59e8d8a2d677dbe863

    SHA1

    a253d625f69b1f537f2deefe2a51d80999686bd2

    SHA256

    7cd4dc47ff59ffc6fc42ae75f2d16376a0966c4e3608d411fa2d68b6f816ab43

    SHA512

    5f262d26f8733b49ab70c9139e13636583ac8254ba37e1ebeb01cf0ecc6aca4fab866e9c61ee1295073d37118e8da98ef9c394ac94471d6b81e8417d6ac9d0ab

    Download Submit

  • memory/284-10-0x0000000000000000-mapping.dmp

    Download

  • memory/284-11-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/284-13-0x0000000002060000-0x0000000002120000-memory.dmp

    Filesize

    768KB

    Download

  • memory/580-8-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/580-9-0x000000000041E300-mapping.dmp

    Download

  • memory/1016-5-0x0000000000000000-mapping.dmp

    Download

  • memory/1096-12-0x0000000000000000-mapping.dmp

    Download

  • memory/1400-1-0x0000000000000000-0x0000000000000000-disk.dmp

    Download