Analysis
-
max time kernel
155s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:59
Static task
static1
Behavioral task
behavioral1
Sample
FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe
-
Size
434KB
-
MD5
28cfa40c77b39ff4dd7b57680d91afff
-
SHA1
05c1d4cd3d8238e0f485ba36855d8e57ce44227b
-
SHA256
d4ca1a42f5c889f5b6e12a5f4059ff6bc22c6ea99f830d561baf9d6de3b42eea
-
SHA512
219d8b9104a8a6135b2244c7e0c23c454fe71b0d4b5bfc2f652dbd16118d67c4ff9e3aa51eadb3e6e614d64bde16c6856bd9a3a2707832bc99cc7efa0158175e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.zarkom.rs - Port:
587 - Username:
[email protected] - Password:
Medicko121
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/620-132-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exedescription pid process target process PID 4548 set thread context of 620 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exeFEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exepid process 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe 620 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe 620 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exeFEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exedescription pid process Token: SeDebugPrivilege 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe Token: SeDebugPrivilege 620 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exedescription pid process target process PID 4548 wrote to memory of 620 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe PID 4548 wrote to memory of 620 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe PID 4548 wrote to memory of 620 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe PID 4548 wrote to memory of 620 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe PID 4548 wrote to memory of 620 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe PID 4548 wrote to memory of 620 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe PID 4548 wrote to memory of 620 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe PID 4548 wrote to memory of 620 4548 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe -
outlook_office_path 1 IoCs
Processes:
FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe -
outlook_win_path 1 IoCs
Processes:
FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe"C:\Users\Admin\AppData\Local\Temp\FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\FEDEX Online Customer Advisory AWB, BL Commercial. Invoice 20207105534231.pdf.exe.logFilesize
313B
MD5580032b56f3eb50550c370c45282819d
SHA1f038df98749b531df14f79561e4d4aa47ed273a0
SHA256c35d3e01e4f85ef6cec646d28d0c228dea97e0afe16193ee35944f8ba7022ddd
SHA5123c435e5bfe5511d57710e7f4892abad5f1c02a1a839c1da1476d9ef851ecf540350e62e8148eb1533f83c5d3d5ad62779e66710281d516227cd727fb9a16c44e
-
memory/620-131-0x0000000000000000-mapping.dmp
-
memory/620-132-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/620-134-0x0000000074720000-0x0000000074CD1000-memory.dmpFilesize
5.7MB
-
memory/4548-130-0x0000000074720000-0x0000000074CD1000-memory.dmpFilesize
5.7MB