Overview

overview

10

Static

static

Detalles d...df.exe

windows7_x64

10

Detalles d...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Detalles del banco Pdf.exe

  • Size

    548KB

  • MD5

    d367775b90921b2d36296036bac6a255

  • SHA1

    897618f155cfb5b5f580f3b08751ff9b4fb5c5e8

  • SHA256

    74fb0be9b7d5f5e5a39ddf596dfb3357deb458b7b4340be8f0ce8c4ae819f3de

  • SHA512

    74f0a82c5542308ad66065319a206144a73eb95c32ae22e8e807a9e326eb6e91add2c8455aded2607eb2f268cb4a0560698126b9c2bcbb71423f549da7016d2b

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    lFAvm@p#@z92

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    lFAvm@p#@z92

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Detalles del banco Pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Detalles del banco Pdf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\unlOvmub" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC3EC.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2540
    • C:\Users\Admin\AppData\Local\Temp\Detalles del banco Pdf.exe
      "{path}"
      2⤵
        PID:2624
      • C:\Users\Admin\AppData\Local\Temp\Detalles del banco Pdf.exe
        "{path}"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:1824
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" wlan show profile
          3⤵
            PID:5000

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      3
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      3
      T1005

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Detalles del banco Pdf.exe.log
        Filesize

        496B

        MD5

        7baa6583f69f63f7230df9bf98448356

        SHA1

        fe9eb85b57192362da704a3c130377fe83862320

        SHA256

        a632504621b4cac1d5ba5465c7ad9b30f3d036e9838682506782124a211bed4f

        SHA512

        0e72541791281c0fdac1f5fc6beea0b9eb8766b2a386aecb92cb8a44e5b59b7114c79194393ddeff957ffe86021a311caed7ce2731b863d97ad441870efbc051

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpC3EC.tmp
        Filesize

        1KB

        MD5

        8b534c60afd3bfc7a313e81695026031

        SHA1

        d84e32a041f950b33a048b9a11d57b723585db14

        SHA256

        7afb486b7676dc14e256c44b0c47f5a180fa6df6d0bf17657abad9045183da9f

        SHA512

        c8f2b858513edd63367a80c9ab7c319b3abd3f301077e2278cd9b0b3f38ca5b2128e5e215720c42183f35411ba6d75fada1503dda7f603796ef15ae070a15308

        Download Submit
      • memory/1824-134-0x0000000000000000-mapping.dmp
        Download
      • memory/1824-135-0x0000000000400000-0x0000000000452000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1824-137-0x0000000074ED0000-0x0000000075481000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2540-131-0x0000000000000000-mapping.dmp
        Download
      • memory/2624-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4188-130-0x0000000074ED0000-0x0000000075481000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/5000-138-0x0000000000000000-mapping.dmp
        Download