Overview

overview

10

Static

static

Detalles d...df.exe

windows7_x64

10

Detalles d...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Detalles del banco Pdf.exe

  • Size

    548KB

  • MD5

    d367775b90921b2d36296036bac6a255

  • SHA1

    897618f155cfb5b5f580f3b08751ff9b4fb5c5e8

  • SHA256

    74fb0be9b7d5f5e5a39ddf596dfb3357deb458b7b4340be8f0ce8c4ae819f3de

  • SHA512

    74f0a82c5542308ad66065319a206144a73eb95c32ae22e8e807a9e326eb6e91add2c8455aded2607eb2f268cb4a0560698126b9c2bcbb71423f549da7016d2b

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    lFAvm@p#@z92

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 6 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Detalles del banco Pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Detalles del banco Pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\unlOvmub" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7EE.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1984
    • C:\Users\Admin\AppData\Local\Temp\Detalles del banco Pdf.exe
      "{path}"
      2⤵
        PID:1952
      • C:\Users\Admin\AppData\Local\Temp\Detalles del banco Pdf.exe
        "{path}"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:1964
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" wlan show profile
          3⤵
            PID:1072

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      3
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      3
      T1005

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp7EE.tmp
        Filesize

        1KB

        MD5

        96ad376037de1aac80625177a7ea6800

        SHA1

        0c64e3cabc6460dec6a20a0ca9629f9c4ebad298

        SHA256

        de84856c02bef16b87dc41cf169fcbaa8f68aeb4580f75d03afaa538db8826a9

        SHA512

        23f23b7bfc94dd62c3b6e476222271c5943fb4aa001caa203c077a5fa3a47ed7ddb35f5056f0ec7fd5a99d8fcb795f5f785ec8bd0294b04c16bab746eba54c42

        Download Submit
      • memory/1072-71-0x0000000000000000-mapping.dmp
        Download
      • memory/1096-54-0x0000000075E51000-0x0000000075E53000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1096-55-0x0000000074590000-0x0000000074B3B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1964-61-0x0000000000400000-0x0000000000452000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1964-62-0x0000000000400000-0x0000000000452000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1964-59-0x0000000000400000-0x0000000000452000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1964-58-0x0000000000400000-0x0000000000452000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1964-63-0x0000000000400000-0x0000000000452000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1964-64-0x000000000044C3DE-mapping.dmp
        Download
      • memory/1964-66-0x0000000000400000-0x0000000000452000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1964-68-0x0000000000400000-0x0000000000452000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1964-70-0x0000000074520000-0x0000000074ACB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1984-56-0x0000000000000000-mapping.dmp
        Download