Analysis
-
max time kernel
147s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:00
Static task
static1
Behavioral task
behavioral1
Sample
Detalles del banco Pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Detalles del banco Pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
Detalles del banco Pdf.exe
-
Size
548KB
-
MD5
d367775b90921b2d36296036bac6a255
-
SHA1
897618f155cfb5b5f580f3b08751ff9b4fb5c5e8
-
SHA256
74fb0be9b7d5f5e5a39ddf596dfb3357deb458b7b4340be8f0ce8c4ae819f3de
-
SHA512
74f0a82c5542308ad66065319a206144a73eb95c32ae22e8e807a9e326eb6e91add2c8455aded2607eb2f268cb4a0560698126b9c2bcbb71423f549da7016d2b
Malware Config
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
lFAvm@p#@z92
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
lFAvm@p#@z92
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1824-135-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Detalles del banco Pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Detalles del banco Pdf.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Detalles del banco Pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Detalles del banco Pdf.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Detalles del banco Pdf.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Detalles del banco Pdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Detalles del banco Pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MJVkSQ = "C:\\Users\\Admin\\AppData\\Roaming\\MJVkSQ\\MJVkSQ.exe" Detalles del banco Pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Detalles del banco Pdf.exedescription pid process target process PID 4188 set thread context of 1824 4188 Detalles del banco Pdf.exe Detalles del banco Pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Detalles del banco Pdf.exeDetalles del banco Pdf.exepid process 4188 Detalles del banco Pdf.exe 4188 Detalles del banco Pdf.exe 4188 Detalles del banco Pdf.exe 4188 Detalles del banco Pdf.exe 4188 Detalles del banco Pdf.exe 1824 Detalles del banco Pdf.exe 1824 Detalles del banco Pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Detalles del banco Pdf.exepid process 1824 Detalles del banco Pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Detalles del banco Pdf.exeDetalles del banco Pdf.exedescription pid process Token: SeDebugPrivilege 4188 Detalles del banco Pdf.exe Token: SeDebugPrivilege 1824 Detalles del banco Pdf.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Detalles del banco Pdf.exeDetalles del banco Pdf.exedescription pid process target process PID 4188 wrote to memory of 2540 4188 Detalles del banco Pdf.exe schtasks.exe PID 4188 wrote to memory of 2540 4188 Detalles del banco Pdf.exe schtasks.exe PID 4188 wrote to memory of 2540 4188 Detalles del banco Pdf.exe schtasks.exe PID 4188 wrote to memory of 2624 4188 Detalles del banco Pdf.exe Detalles del banco Pdf.exe PID 4188 wrote to memory of 2624 4188 Detalles del banco Pdf.exe Detalles del banco Pdf.exe PID 4188 wrote to memory of 2624 4188 Detalles del banco Pdf.exe Detalles del banco Pdf.exe PID 4188 wrote to memory of 1824 4188 Detalles del banco Pdf.exe Detalles del banco Pdf.exe PID 4188 wrote to memory of 1824 4188 Detalles del banco Pdf.exe Detalles del banco Pdf.exe PID 4188 wrote to memory of 1824 4188 Detalles del banco Pdf.exe Detalles del banco Pdf.exe PID 4188 wrote to memory of 1824 4188 Detalles del banco Pdf.exe Detalles del banco Pdf.exe PID 4188 wrote to memory of 1824 4188 Detalles del banco Pdf.exe Detalles del banco Pdf.exe PID 4188 wrote to memory of 1824 4188 Detalles del banco Pdf.exe Detalles del banco Pdf.exe PID 4188 wrote to memory of 1824 4188 Detalles del banco Pdf.exe Detalles del banco Pdf.exe PID 4188 wrote to memory of 1824 4188 Detalles del banco Pdf.exe Detalles del banco Pdf.exe PID 1824 wrote to memory of 5000 1824 Detalles del banco Pdf.exe netsh.exe PID 1824 wrote to memory of 5000 1824 Detalles del banco Pdf.exe netsh.exe PID 1824 wrote to memory of 5000 1824 Detalles del banco Pdf.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Detalles del banco Pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Detalles del banco Pdf.exe -
outlook_win_path 1 IoCs
Processes:
Detalles del banco Pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Detalles del banco Pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Detalles del banco Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Detalles del banco Pdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\unlOvmub" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC3EC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Detalles del banco Pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Detalles del banco Pdf.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Detalles del banco Pdf.exe.logFilesize
496B
MD57baa6583f69f63f7230df9bf98448356
SHA1fe9eb85b57192362da704a3c130377fe83862320
SHA256a632504621b4cac1d5ba5465c7ad9b30f3d036e9838682506782124a211bed4f
SHA5120e72541791281c0fdac1f5fc6beea0b9eb8766b2a386aecb92cb8a44e5b59b7114c79194393ddeff957ffe86021a311caed7ce2731b863d97ad441870efbc051
-
C:\Users\Admin\AppData\Local\Temp\tmpC3EC.tmpFilesize
1KB
MD58b534c60afd3bfc7a313e81695026031
SHA1d84e32a041f950b33a048b9a11d57b723585db14
SHA2567afb486b7676dc14e256c44b0c47f5a180fa6df6d0bf17657abad9045183da9f
SHA512c8f2b858513edd63367a80c9ab7c319b3abd3f301077e2278cd9b0b3f38ca5b2128e5e215720c42183f35411ba6d75fada1503dda7f603796ef15ae070a15308
-
memory/1824-134-0x0000000000000000-mapping.dmp
-
memory/1824-135-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1824-137-0x0000000074ED0000-0x0000000075481000-memory.dmpFilesize
5.7MB
-
memory/2540-131-0x0000000000000000-mapping.dmp
-
memory/2624-133-0x0000000000000000-mapping.dmp
-
memory/4188-130-0x0000000074ED0000-0x0000000075481000-memory.dmpFilesize
5.7MB
-
memory/5000-138-0x0000000000000000-mapping.dmp