Overview
overview
10Static
static
8BL. NO. AN...21.exe
windows7_x64
10BL. NO. AN...21.exe
windows10_x64
10Sample_101...mg.exe
windows7_x64
10Sample_101...mg.exe
windows10_x64
10Invoice 19...df.exe
windows7_x64
1Invoice 19...df.exe
windows10_x64
10Leak/PROFO...CE.doc
windows7_x64
10Leak/PROFO...CE.doc
windows10_x64
1Payment re...df.exe
windows7_x64
10Payment re...df.exe
windows10_x64
10Leak/Profo...mg.xls
windows7_x64
10Leak/Profo...mg.xls
windows10_x64
10Analysis
-
max time kernel
352s -
max time network
614s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-10-2021 07:00
Static task
static1
Behavioral task
behavioral1
Sample
BL. NO. ANSMUNDAR3621.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
BL. NO. ANSMUNDAR3621.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Sample_10120351200_ISO_035117img.exe
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Sample_10120351200_ISO_035117img.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
Invoice 1905-20-1907-20.pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
Invoice 1905-20-1907-20.pdf.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
Leak/PROFORMA INVOICE.doc
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
Leak/PROFORMA INVOICE.doc
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
Payment receipt.pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral10
Sample
Payment receipt.pdf.exe
Resource
win10-en-20210920
Behavioral task
behavioral11
Sample
Leak/Proforma invoice35117img.xls
Resource
win7-en-20211014
Behavioral task
behavioral12
Sample
Leak/Proforma invoice35117img.xls
Resource
win10-en-20210920
General
-
Target
BL. NO. ANSMUNDAR3621.exe
-
Size
705KB
-
MD5
5e4930b37a31c65525ec4e308a67fb7e
-
SHA1
c598d2e034dd4d1e1266b8d0f047cfd629b56ab9
-
SHA256
a96249e0df2c88e2e047ad332ba7d2755dd6f390d39afc67de05ddfa8726e53f
-
SHA512
86600dfb132d057a6f7fe4d644b8c3577ef83ed95e2986d4c2d3475c6af92db1eb7bb3ef6288b29b441e30443057c296838bb49e1980e0ed7dfafdff7a6968e4
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.topfrozenfoodbrand.com - Port:
587 - Username:
[email protected] - Password:
Chukwudim28@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/664-124-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/664-125-0x0000000000436D9E-mapping.dmp family_agenttesla -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
BL. NO. ANSMUNDAR3621.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BL. NO. ANSMUNDAR3621.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BL. NO. ANSMUNDAR3621.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BL. NO. ANSMUNDAR3621.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BL. NO. ANSMUNDAR3621.exedescription pid process target process PID 3804 set thread context of 664 3804 BL. NO. ANSMUNDAR3621.exe BL. NO. ANSMUNDAR3621.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
BL. NO. ANSMUNDAR3621.exeBL. NO. ANSMUNDAR3621.exepid process 3804 BL. NO. ANSMUNDAR3621.exe 3804 BL. NO. ANSMUNDAR3621.exe 664 BL. NO. ANSMUNDAR3621.exe 664 BL. NO. ANSMUNDAR3621.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
BL. NO. ANSMUNDAR3621.exeBL. NO. ANSMUNDAR3621.exedescription pid process Token: SeDebugPrivilege 3804 BL. NO. ANSMUNDAR3621.exe Token: SeDebugPrivilege 664 BL. NO. ANSMUNDAR3621.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
BL. NO. ANSMUNDAR3621.exedescription pid process target process PID 3804 wrote to memory of 656 3804 BL. NO. ANSMUNDAR3621.exe BL. NO. ANSMUNDAR3621.exe PID 3804 wrote to memory of 656 3804 BL. NO. ANSMUNDAR3621.exe BL. NO. ANSMUNDAR3621.exe PID 3804 wrote to memory of 656 3804 BL. NO. ANSMUNDAR3621.exe BL. NO. ANSMUNDAR3621.exe PID 3804 wrote to memory of 664 3804 BL. NO. ANSMUNDAR3621.exe BL. NO. ANSMUNDAR3621.exe PID 3804 wrote to memory of 664 3804 BL. NO. ANSMUNDAR3621.exe BL. NO. ANSMUNDAR3621.exe PID 3804 wrote to memory of 664 3804 BL. NO. ANSMUNDAR3621.exe BL. NO. ANSMUNDAR3621.exe PID 3804 wrote to memory of 664 3804 BL. NO. ANSMUNDAR3621.exe BL. NO. ANSMUNDAR3621.exe PID 3804 wrote to memory of 664 3804 BL. NO. ANSMUNDAR3621.exe BL. NO. ANSMUNDAR3621.exe PID 3804 wrote to memory of 664 3804 BL. NO. ANSMUNDAR3621.exe BL. NO. ANSMUNDAR3621.exe PID 3804 wrote to memory of 664 3804 BL. NO. ANSMUNDAR3621.exe BL. NO. ANSMUNDAR3621.exe PID 3804 wrote to memory of 664 3804 BL. NO. ANSMUNDAR3621.exe BL. NO. ANSMUNDAR3621.exe -
outlook_office_path 1 IoCs
Processes:
BL. NO. ANSMUNDAR3621.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BL. NO. ANSMUNDAR3621.exe -
outlook_win_path 1 IoCs
Processes:
BL. NO. ANSMUNDAR3621.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BL. NO. ANSMUNDAR3621.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BL. NO. ANSMUNDAR3621.exe"C:\Users\Admin\AppData\Local\Temp\BL. NO. ANSMUNDAR3621.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\BL. NO. ANSMUNDAR3621.exe"C:\Users\Admin\AppData\Local\Temp\BL. NO. ANSMUNDAR3621.exe"2⤵PID:656
-
C:\Users\Admin\AppData\Local\Temp\BL. NO. ANSMUNDAR3621.exe"C:\Users\Admin\AppData\Local\Temp\BL. NO. ANSMUNDAR3621.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BL. NO. ANSMUNDAR3621.exe.logMD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
memory/664-124-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/664-133-0x00000000060A0000-0x00000000060A1000-memory.dmpFilesize
4KB
-
memory/664-132-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/664-131-0x0000000005520000-0x0000000005521000-memory.dmpFilesize
4KB
-
memory/664-125-0x0000000000436D9E-mapping.dmp
-
memory/3804-119-0x0000000007400000-0x00000000078FE000-memory.dmpFilesize
5.0MB
-
memory/3804-123-0x0000000008310000-0x0000000008367000-memory.dmpFilesize
348KB
-
memory/3804-122-0x0000000008270000-0x0000000008271000-memory.dmpFilesize
4KB
-
memory/3804-121-0x0000000007840000-0x0000000007847000-memory.dmpFilesize
28KB
-
memory/3804-120-0x00000000074B0000-0x00000000074B1000-memory.dmpFilesize
4KB
-
memory/3804-115-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/3804-118-0x00000000074E0000-0x00000000074E1000-memory.dmpFilesize
4KB
-
memory/3804-117-0x0000000007900000-0x0000000007901000-memory.dmpFilesize
4KB