Analysis
-
max time kernel
60s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:27
General
-
Target
Facturas Pagadas al Vencimiento.exe
-
Size
512KB
-
MD5
d1c78423165fbff2c47ffa3d31680456
-
SHA1
b41b78454e0441df4a3a87f62a896e0133d46063
-
SHA256
ac979891a231a3af79a31a52663f77fe151bbbddee9b13750ea02e82f6aefd40
-
SHA512
27615dfd230a1ff47a8ebe9541fc886885178e5725d8a7b66f3169562cb99c88fb4076384761f9ef6f0d3f78bf4332cd8c66907efe3fc722eaf4a878e88adde9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
kroskofile
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas al Vencimiento.exe"C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas al Vencimiento.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas al Vencimiento.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas al Vencimiento.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1184-58-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1184-61-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1184-59-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1184-62-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1184-63-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1184-64-0x000000000044A75E-mapping.dmp
-
memory/1184-68-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1184-66-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1472-54-0x00000000000D0000-0x0000000000156000-memory.dmpFilesize
536KB
-
memory/1472-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmpFilesize
8KB
-
memory/1472-56-0x00000000002B0000-0x00000000002C0000-memory.dmpFilesize
64KB
-
memory/1472-57-0x0000000000BB0000-0x0000000000C06000-memory.dmpFilesize
344KB