Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
19-10-2021 15:50
Static task
static1
Behavioral task
behavioral1
Sample
DHL DOCUMENTS.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
DHL DOCUMENTS.exe
Resource
win10-en-20210920
General
-
Target
DHL DOCUMENTS.exe
-
Size
747KB
-
MD5
d6e6a2b12de21b77970256e539a11b20
-
SHA1
bc2d1fd49e6c8f39be63e8f9aea10faee4fa9804
-
SHA256
9621554c8727d49421880fb2870af9ba1073cfc93340a3b67a9aafa4ccac401e
-
SHA512
5459cebf51e4603d4b3395c08a02c03b96a237e11f748c7b4116f16304413f41cee79a287089edab6150bf1cd00b666ca8dd1cf0a98c326bc25df0262904ac84
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.totallyanonymous.com/ - Port:
21 - Username:
[email protected] - Password:
613t705Z
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3760-116-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3760-117-0x000000000043751E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DHL DOCUMENTS.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL DOCUMENTS.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL DOCUMENTS.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL DOCUMENTS.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL DOCUMENTS.exedescription pid process target process PID 1828 set thread context of 3760 1828 DHL DOCUMENTS.exe DHL DOCUMENTS.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DHL DOCUMENTS.exepid process 3760 DHL DOCUMENTS.exe 3760 DHL DOCUMENTS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHL DOCUMENTS.exedescription pid process Token: SeDebugPrivilege 3760 DHL DOCUMENTS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
DHL DOCUMENTS.exedescription pid process target process PID 1828 wrote to memory of 3760 1828 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1828 wrote to memory of 3760 1828 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1828 wrote to memory of 3760 1828 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1828 wrote to memory of 3760 1828 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1828 wrote to memory of 3760 1828 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1828 wrote to memory of 3760 1828 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1828 wrote to memory of 3760 1828 DHL DOCUMENTS.exe DHL DOCUMENTS.exe PID 1828 wrote to memory of 3760 1828 DHL DOCUMENTS.exe DHL DOCUMENTS.exe -
outlook_office_path 1 IoCs
Processes:
DHL DOCUMENTS.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL DOCUMENTS.exe -
outlook_win_path 1 IoCs
Processes:
DHL DOCUMENTS.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL DOCUMENTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\DHL DOCUMENTS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL DOCUMENTS.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1828-115-0x0000000002F10000-0x0000000002F11000-memory.dmpFilesize
4KB
-
memory/1828-118-0x0000000002F11000-0x0000000002F12000-memory.dmpFilesize
4KB
-
memory/3760-116-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3760-117-0x000000000043751E-mapping.dmp
-
memory/3760-119-0x0000000002E90000-0x0000000002E91000-memory.dmpFilesize
4KB
-
memory/3760-120-0x0000000002E91000-0x0000000002E92000-memory.dmpFilesize
4KB
-
memory/3760-121-0x0000000002E92000-0x0000000002E93000-memory.dmpFilesize
4KB