Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-10-2021 22:00
General
-
Target
DETAILS PROFORMA BANKING_____________pdf_____________.exe
-
Size
464KB
-
MD5
698d250ff08f3121dc1652384430f942
-
SHA1
e4e9829b91795d7908ea8967f065c1c36bb553a1
-
SHA256
498156982ed9aecacb9a26f6bb4842752c1ad265ab662c25893f5e8e0eebf277
-
SHA512
c5d0d567638f67063f41dada5689fa6aa66af408f2103a48a06daf0179682cec40a6e3bcfc08ec9e96d1253cdd34fb1d71fc1e2e4c47266e20e2d93dc102f95f
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DETAILS PROFORMA BANKING_____________pdf_____________.exe"C:\Users\Admin\AppData\Local\Temp\DETAILS PROFORMA BANKING_____________pdf_____________.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DETAILS PROFORMA BANKING_____________pdf_____________.exe"C:\Users\Admin\AppData\Local\Temp\DETAILS PROFORMA BANKING_____________pdf_____________.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsfC3EE.tmp\ibmbeute.dllMD5
4b00a8fede03377e8ec902ead69358e4
SHA1a916daab58c19f2e7bb0f37f18ceba58521ac7e8
SHA2564fc85337cd5783bd1aa5056ee9c6b3099db05812b32f467696b23aaff3683c36
SHA512aece6578422664e59a85db578748efed150cdd079f7e0e7fda1ae715e1396b2536a436edb0929c979c356b4069ec2675a8a1c417fcec20ce2314d45a98fe761f
-
memory/4008-116-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4008-117-0x000000000040188B-mapping.dmp
-
memory/4008-118-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4008-121-0x00000000021A1000-0x00000000021A2000-memory.dmpFilesize
4KB
-
memory/4008-120-0x00000000021A7000-0x00000000021A8000-memory.dmpFilesize
4KB
-
memory/4008-119-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/4008-122-0x00000000021A2000-0x00000000021A4000-memory.dmpFilesize
8KB
-
memory/4008-123-0x00000000021A8000-0x00000000021A9000-memory.dmpFilesize
4KB
-
memory/4008-124-0x00000000021AD000-0x00000000021AF000-memory.dmpFilesize
8KB