Analysis
-
max time kernel
132s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 13:08
Static task
static1
Behavioral task
behavioral1
Sample
ORDEN DE COMPRA 80107.pdf________________________.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ORDEN DE COMPRA 80107.pdf________________________.exe
Resource
win10-en-20211208
General
-
Target
ORDEN DE COMPRA 80107.pdf________________________.exe
-
Size
229KB
-
MD5
af7c27fd6e49538aa93a667d67463c51
-
SHA1
e2da9a0143a07da2b2c498f4622ea5db21d9298f
-
SHA256
d7553925a2f9d9840cd23da20f66fcbfb3e7eca2f24c624e2f6139181eefc138
-
SHA512
6fdf0a2efc97e8c69c8aa97d4a2f47826c7bc201a8db4323f41ac097925c0c5e919ec7df5e72579d61dab3e7e38f8e8a324ca8a336b55e2ce756838a9bd08122
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bhgautopartes.com - Port:
587 - Username:
kubaba@bhgautopartes.com - Password:
icui4cu2@@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3500-125-0x0000000000400000-0x00000000006A3000-memory.dmp family_agenttesla behavioral2/memory/3500-126-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
ORDEN DE COMPRA 80107.pdf________________________.execaspol.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ORDEN DE COMPRA 80107.pdf________________________.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe caspol.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
caspol.exepid process 3500 caspol.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
ORDEN DE COMPRA 80107.pdf________________________.execaspol.exepid process 3140 ORDEN DE COMPRA 80107.pdf________________________.exe 3500 caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ORDEN DE COMPRA 80107.pdf________________________.exedescription pid process target process PID 3140 set thread context of 3500 3140 ORDEN DE COMPRA 80107.pdf________________________.exe caspol.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
caspol.exepid process 3500 caspol.exe 3500 caspol.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
ORDEN DE COMPRA 80107.pdf________________________.exepid process 3140 ORDEN DE COMPRA 80107.pdf________________________.exe 3140 ORDEN DE COMPRA 80107.pdf________________________.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
caspol.exedescription pid process Token: SeDebugPrivilege 3500 caspol.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ORDEN DE COMPRA 80107.pdf________________________.exepid process 3140 ORDEN DE COMPRA 80107.pdf________________________.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
ORDEN DE COMPRA 80107.pdf________________________.exedescription pid process target process PID 3140 wrote to memory of 3020 3140 ORDEN DE COMPRA 80107.pdf________________________.exe caspol.exe PID 3140 wrote to memory of 3020 3140 ORDEN DE COMPRA 80107.pdf________________________.exe caspol.exe PID 3140 wrote to memory of 3020 3140 ORDEN DE COMPRA 80107.pdf________________________.exe caspol.exe PID 3140 wrote to memory of 3500 3140 ORDEN DE COMPRA 80107.pdf________________________.exe caspol.exe PID 3140 wrote to memory of 3500 3140 ORDEN DE COMPRA 80107.pdf________________________.exe caspol.exe PID 3140 wrote to memory of 3500 3140 ORDEN DE COMPRA 80107.pdf________________________.exe caspol.exe PID 3140 wrote to memory of 3500 3140 ORDEN DE COMPRA 80107.pdf________________________.exe caspol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA 80107.pdf________________________.exe"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA 80107.pdf________________________.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA 80107.pdf________________________.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA 80107.pdf________________________.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3140-117-0x0000000002460000-0x0000000002474000-memory.dmpFilesize
80KB
-
memory/3140-118-0x00007FFA3B2A0000-0x00007FFA3B47B000-memory.dmpFilesize
1.9MB
-
memory/3140-119-0x0000000077A60000-0x0000000077BEE000-memory.dmpFilesize
1.6MB
-
memory/3140-120-0x0000000077A60000-0x0000000077BEE000-memory.dmpFilesize
1.6MB
-
memory/3140-121-0x0000000077A60000-0x0000000077BEE000-memory.dmpFilesize
1.6MB
-
memory/3500-122-0x0000000000F00000-0x0000000001100000-memory.dmpFilesize
2.0MB
-
memory/3500-123-0x00007FFA3B2A0000-0x00007FFA3B47B000-memory.dmpFilesize
1.9MB
-
memory/3500-124-0x0000000077A60000-0x0000000077BEE000-memory.dmpFilesize
1.6MB
-
memory/3500-125-0x0000000000400000-0x00000000006A3000-memory.dmpFilesize
2.6MB
-
memory/3500-126-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3500-127-0x0000000020900000-0x0000000020DFE000-memory.dmpFilesize
5.0MB
-
memory/3500-140-0x00000000205F0000-0x000000002068C000-memory.dmpFilesize
624KB
-
memory/3500-141-0x0000000020400000-0x00000000208FE000-memory.dmpFilesize
5.0MB
-
memory/3500-179-0x0000000000B50000-0x0000000000B68000-memory.dmpFilesize
96KB
-
memory/3500-182-0x0000000000E70000-0x0000000000ED6000-memory.dmpFilesize
408KB