Analysis
-
max time kernel
150s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-01-2021 06:59
Static task
static1
Behavioral task
behavioral1
Sample
FedEx-Shipment-61821461149.jar
Resource
win7v20201028
Behavioral task
behavioral2
Sample
FedEx-Shipment-61821461149.jar
Resource
win10v20201028
General
-
Target
FedEx-Shipment-61821461149.jar
-
Size
1.1MB
-
MD5
796276ef3bb0cff9f450ee0d2904b9a6
-
SHA1
b0f27e95169499f019fa45e0de2f31b84fd03298
-
SHA256
4c05725a37cb5a13ba3f7bc3993958bb56a234b47ae5869ceb92c2d8f98635f3
-
SHA512
0cf482410883c6d3a8498cb06bde5595bd506ddde9a0c7b1231800e48c4a206305bc1cb09340a4cb620bc44a6a2123040b2edc9f389e84147d88bf71d25f7435
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.pexonteam.rs - Port:
587 - Username:
[email protected] - Password:
Mdn7dRsJ[7q}
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1000-16-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1000-17-0x000000000043764E-mapping.dmp family_agenttesla behavioral1/memory/1000-20-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
fnd2So.exefnd2So.exepid process 1960 fnd2So.exe 1000 fnd2So.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
fnd2So.exedescription pid process target process PID 1960 set thread context of 1000 1960 fnd2So.exe fnd2So.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fnd2So.exepid process 1000 fnd2So.exe 1000 fnd2So.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1704 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fnd2So.exedescription pid process Token: SeDebugPrivilege 1000 fnd2So.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
java.exeAcroRd32.exepid process 1336 java.exe 1704 AcroRd32.exe 1704 AcroRd32.exe 1704 AcroRd32.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
java.exefnd2So.exedescription pid process target process PID 1336 wrote to memory of 1960 1336 java.exe fnd2So.exe PID 1336 wrote to memory of 1960 1336 java.exe fnd2So.exe PID 1336 wrote to memory of 1960 1336 java.exe fnd2So.exe PID 1336 wrote to memory of 1960 1336 java.exe fnd2So.exe PID 1336 wrote to memory of 1704 1336 java.exe AcroRd32.exe PID 1336 wrote to memory of 1704 1336 java.exe AcroRd32.exe PID 1336 wrote to memory of 1704 1336 java.exe AcroRd32.exe PID 1336 wrote to memory of 1704 1336 java.exe AcroRd32.exe PID 1960 wrote to memory of 1000 1960 fnd2So.exe fnd2So.exe PID 1960 wrote to memory of 1000 1960 fnd2So.exe fnd2So.exe PID 1960 wrote to memory of 1000 1960 fnd2So.exe fnd2So.exe PID 1960 wrote to memory of 1000 1960 fnd2So.exe fnd2So.exe PID 1960 wrote to memory of 1000 1960 fnd2So.exe fnd2So.exe PID 1960 wrote to memory of 1000 1960 fnd2So.exe fnd2So.exe PID 1960 wrote to memory of 1000 1960 fnd2So.exe fnd2So.exe PID 1960 wrote to memory of 1000 1960 fnd2So.exe fnd2So.exe PID 1960 wrote to memory of 1000 1960 fnd2So.exe fnd2So.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\FedEx-Shipment-61821461149.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\fnd2So.exeC:\Users\Admin\fnd2So.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\fnd2So.exe"C:\Users\Admin\fnd2So.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\2rT0ij0AP.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\2rT0ij0AP.pdfMD5
524fcfad9aeab4bbebb7eb9c713bb185
SHA1041914a609a61ec9487063a462434de523fe2471
SHA256da13ea60cabf1b692cbfd07cfcafe3a2d1393a745ac817161498dc04db2f9208
SHA5122131c93a19d6d2cefe45070a1eccc0c307060aa0361f935be559defd0069b5da860473ece763a3b83d62974aaa7f0295fb4d1e49405307ae826cb48b6295121b
-
C:\Users\Admin\fnd2So.exeMD5
7da8b4001777c09fac01f6d5401706e7
SHA194d936a8ab33ad3eb2aa536cfe16d733b8275d33
SHA256e88cd272e8c4edb52f30b28bd1466b8176337a146c7ed215c1713bfc279b1487
SHA512e2bef1be7326ff62edec028953b1134051f962744b8ac718ce1bdb96acfe75ae381fda290a9c5f7009ce68bc20b8262944d9ef5c3cfc2f7948df249f14e47870
-
C:\Users\Admin\fnd2So.exeMD5
7da8b4001777c09fac01f6d5401706e7
SHA194d936a8ab33ad3eb2aa536cfe16d733b8275d33
SHA256e88cd272e8c4edb52f30b28bd1466b8176337a146c7ed215c1713bfc279b1487
SHA512e2bef1be7326ff62edec028953b1134051f962744b8ac718ce1bdb96acfe75ae381fda290a9c5f7009ce68bc20b8262944d9ef5c3cfc2f7948df249f14e47870
-
C:\Users\Admin\fnd2So.exeMD5
7da8b4001777c09fac01f6d5401706e7
SHA194d936a8ab33ad3eb2aa536cfe16d733b8275d33
SHA256e88cd272e8c4edb52f30b28bd1466b8176337a146c7ed215c1713bfc279b1487
SHA512e2bef1be7326ff62edec028953b1134051f962744b8ac718ce1bdb96acfe75ae381fda290a9c5f7009ce68bc20b8262944d9ef5c3cfc2f7948df249f14e47870
-
memory/1000-16-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1000-23-0x0000000004C51000-0x0000000004C52000-memory.dmpFilesize
4KB
-
memory/1000-22-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/1000-20-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1000-19-0x0000000072D60000-0x000000007344E000-memory.dmpFilesize
6.9MB
-
memory/1000-17-0x000000000043764E-mapping.dmp
-
memory/1336-3-0x0000000002230000-0x00000000024A0000-memory.dmpFilesize
2.4MB
-
memory/1336-2-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB
-
memory/1704-8-0x0000000000000000-mapping.dmp
-
memory/1704-9-0x0000000075DE1000-0x0000000075DE3000-memory.dmpFilesize
8KB
-
memory/1960-15-0x0000000004910000-0x000000000497A000-memory.dmpFilesize
424KB
-
memory/1960-14-0x0000000000410000-0x0000000000413000-memory.dmpFilesize
12KB
-
memory/1960-13-0x0000000007210000-0x0000000007211000-memory.dmpFilesize
4KB
-
memory/1960-10-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/1960-7-0x0000000072D60000-0x000000007344E000-memory.dmpFilesize
6.9MB
-
memory/1960-4-0x0000000000000000-mapping.dmp