Analysis Overview
SHA256
8884820e4b10d43f04ccd1a7ff14eafccadf1184ce080b2b2e0836a7dc786f4e
Threat Level: Known bad
The file FACTURA Y ALBARANES.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Snakebot family
CoreEntity .NET Packer
AgentTesla Payload
Contains SnakeBOT related strings
rezer0
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-09 19:37
Signatures
Snakebot family
Contains SnakeBOT related strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:08
Platform
win7v20201028
Max time kernel
61s
Max time network
8s
Command Line
Signatures
AgentTesla
CoreEntity .NET Packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
rezer0
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1700 set thread context of 1536 | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
"C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe"
C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
"{path}"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
Files
memory/1700-0-0x0000000074D20000-0x000000007540E000-memory.dmp
memory/1700-1-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1064-3-0x000007FEF6AC0000-0x000007FEF6D3A000-memory.dmp
memory/1700-4-0x0000000000560000-0x0000000000563000-memory.dmp
memory/1700-5-0x0000000002170000-0x00000000021C3000-memory.dmp
memory/1536-6-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1536-7-0x000000000044C94E-mapping.dmp
memory/1536-8-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1536-9-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1536-10-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/916-13-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 19:37
Reported
2020-11-09 22:08
Platform
win10v20201028
Max time kernel
74s
Max time network
131s
Command Line
Signatures
AgentTesla
CoreEntity .NET Packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
rezer0
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 580 set thread context of 204 | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
"C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe"
C:\Users\Admin\AppData\Local\Temp\FACTURA Y ALBARANES.exe
"{path}"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.google.com.br | udp |
| N/A | 172.217.19.195:443 | www.google.com.br | tcp |
| N/A | 8.8.8.8:53 | mail.fridec.com | udp |
| N/A | 91.134.184.212:587 | mail.fridec.com | tcp |
| N/A | 91.134.184.212:587 | mail.fridec.com | tcp |
Files
memory/580-0-0x0000000073190000-0x000000007387E000-memory.dmp
memory/580-1-0x0000000000970000-0x0000000000971000-memory.dmp
memory/580-3-0x0000000007B60000-0x0000000007B61000-memory.dmp
memory/580-4-0x0000000007740000-0x0000000007741000-memory.dmp
memory/580-5-0x0000000007720000-0x0000000007721000-memory.dmp
memory/580-14-0x0000000004C30000-0x0000000004C33000-memory.dmp
memory/580-15-0x000000000B060000-0x000000000B0B3000-memory.dmp
memory/580-16-0x000000000B2C0000-0x000000000B2C1000-memory.dmp
memory/204-17-0x0000000000400000-0x0000000000452000-memory.dmp
memory/204-18-0x000000000044C94E-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FACTURA Y ALBARANES.exe.log
| MD5 | b4f7a6a57cb46d94b72410eb6a6d45a9 |
| SHA1 | 69f3596ffa027202d391444b769ceea0ae14c5f7 |
| SHA256 | 23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b |
| SHA512 | be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c |
memory/204-20-0x0000000073190000-0x000000007387E000-memory.dmp
memory/204-25-0x0000000005730000-0x0000000005731000-memory.dmp
memory/204-26-0x0000000006350000-0x0000000006351000-memory.dmp
memory/2884-27-0x0000000000000000-mapping.dmp