Malware Analysis Report

2024-10-23 21:08

Sample ID 201109-237db974xn
Target FACTURA Y ALBARANES.exe
SHA256 8884820e4b10d43f04ccd1a7ff14eafccadf1184ce080b2b2e0836a7dc786f4e
Tags
snakebot snakebot agenttesla coreentity keylogger rezer0 spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8884820e4b10d43f04ccd1a7ff14eafccadf1184ce080b2b2e0836a7dc786f4e

Threat Level: Known bad

The file FACTURA Y ALBARANES.exe was found to be: Known bad.

Malicious Activity Summary

snakebot snakebot agenttesla coreentity keylogger rezer0 spyware stealer trojan

AgentTesla

Snakebot family

CoreEntity .NET Packer

AgentTesla Payload

Contains SnakeBOT related strings

rezer0

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-09 19:37

Signatures

Snakebot family

snakebot

Contains SnakeBOT related strings

snakebot
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 19:37

Reported

2020-11-09 22:08

Platform

win7v20201028

Max time kernel

61s

Max time network

8s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

rezer0

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware

Reads user/profile data of local email clients

spyware

Reads user/profile data of web browsers

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1700 set thread context of 1536 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 1700 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 1700 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 1700 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 1700 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 1700 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 1700 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 1700 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 1700 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 1536 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Windows\SysWOW64\netsh.exe
PID 1536 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Windows\SysWOW64\netsh.exe
PID 1536 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Windows\SysWOW64\netsh.exe
PID 1536 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe

"C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe"

C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe

"{path}"

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

Network

N/A

Files

memory/1700-0-0x0000000074D20000-0x000000007540E000-memory.dmp

memory/1700-1-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1064-3-0x000007FEF6AC0000-0x000007FEF6D3A000-memory.dmp

memory/1700-4-0x0000000000560000-0x0000000000563000-memory.dmp

memory/1700-5-0x0000000002170000-0x00000000021C3000-memory.dmp

memory/1536-6-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1536-7-0x000000000044C94E-mapping.dmp

memory/1536-8-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1536-9-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1536-10-0x0000000074CA0000-0x000000007538E000-memory.dmp

memory/916-13-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 19:37

Reported

2020-11-09 22:08

Platform

win10v20201028

Max time kernel

74s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

rezer0

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware

Reads user/profile data of local email clients

spyware

Reads user/profile data of web browsers

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 580 set thread context of 204 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 580 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 580 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 580 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 580 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 580 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 580 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 580 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 580 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
PID 204 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Windows\SysWOW64\netsh.exe
PID 204 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Windows\SysWOW64\netsh.exe
PID 204 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe

"C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe"

C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe

"{path}"

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.google.com.br udp
N/A 172.217.19.195:443 www.google.com.br tcp
N/A 8.8.8.8:53 mail.fridec.com udp
N/A 91.134.184.212:587 mail.fridec.com tcp
N/A 91.134.184.212:587 mail.fridec.com tcp

Files

memory/580-0-0x0000000073190000-0x000000007387E000-memory.dmp

memory/580-1-0x0000000000970000-0x0000000000971000-memory.dmp

memory/580-3-0x0000000007B60000-0x0000000007B61000-memory.dmp

memory/580-4-0x0000000007740000-0x0000000007741000-memory.dmp

memory/580-5-0x0000000007720000-0x0000000007721000-memory.dmp

memory/580-14-0x0000000004C30000-0x0000000004C33000-memory.dmp

memory/580-15-0x000000000B060000-0x000000000B0B3000-memory.dmp

memory/580-16-0x000000000B2C0000-0x000000000B2C1000-memory.dmp

memory/204-17-0x0000000000400000-0x0000000000452000-memory.dmp

memory/204-18-0x000000000044C94E-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FACTURA Y ALBARANES.exe.log

MD5 b4f7a6a57cb46d94b72410eb6a6d45a9
SHA1 69f3596ffa027202d391444b769ceea0ae14c5f7
SHA256 23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b
SHA512 be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

memory/204-20-0x0000000073190000-0x000000007387E000-memory.dmp

memory/204-25-0x0000000005730000-0x0000000005731000-memory.dmp

memory/204-26-0x0000000006350000-0x0000000006351000-memory.dmp

memory/2884-27-0x0000000000000000-mapping.dmp