Analysis
-
max time kernel
152s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:05
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quotation.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Request for Quotation.exe
Resource
win10v2004-20220414-en
General
-
Target
Request for Quotation.exe
-
Size
522KB
-
MD5
90868ea38ee67574c75f0b44bc23f240
-
SHA1
6d59b6b66e6a57cbfd4bb8211c8a988d1ab68c7f
-
SHA256
8c2e223633dad17b0830a0efc0a1a3edfd835e176c5a502d36bb0021dfdbf2dc
-
SHA512
718380e06d37cfbde6e1dde2ef0c7f5e1846c34baba1234be2cf11717d7b0e55b8ea3405a49eff43fd5728ada9468d54f10f5eb9dcc8458b2038ae4931c694d9
Malware Config
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
admin@slboercleaning.com - Password:
WS!jmys8
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
admin@slboercleaning.com - Password:
WS!jmys8
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4520-138-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
Processes:
resource yara_rule behavioral2/memory/3856-130-0x00000000003B0000-0x0000000000438000-memory.dmp coreccc -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Request for Quotation.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Request for Quotation.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Request for Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Request for Quotation.exedescription pid process target process PID 3856 set thread context of 4520 3856 Request for Quotation.exe Request for Quotation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Request for Quotation.exeRequest for Quotation.exepid process 3856 Request for Quotation.exe 4520 Request for Quotation.exe 4520 Request for Quotation.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Request for Quotation.exeRequest for Quotation.exedescription pid process Token: SeDebugPrivilege 3856 Request for Quotation.exe Token: SeDebugPrivilege 4520 Request for Quotation.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Request for Quotation.exedescription pid process target process PID 3856 wrote to memory of 2876 3856 Request for Quotation.exe schtasks.exe PID 3856 wrote to memory of 2876 3856 Request for Quotation.exe schtasks.exe PID 3856 wrote to memory of 2876 3856 Request for Quotation.exe schtasks.exe PID 3856 wrote to memory of 4520 3856 Request for Quotation.exe Request for Quotation.exe PID 3856 wrote to memory of 4520 3856 Request for Quotation.exe Request for Quotation.exe PID 3856 wrote to memory of 4520 3856 Request for Quotation.exe Request for Quotation.exe PID 3856 wrote to memory of 4520 3856 Request for Quotation.exe Request for Quotation.exe PID 3856 wrote to memory of 4520 3856 Request for Quotation.exe Request for Quotation.exe PID 3856 wrote to memory of 4520 3856 Request for Quotation.exe Request for Quotation.exe PID 3856 wrote to memory of 4520 3856 Request for Quotation.exe Request for Quotation.exe PID 3856 wrote to memory of 4520 3856 Request for Quotation.exe Request for Quotation.exe -
outlook_office_path 1 IoCs
Processes:
Request for Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe -
outlook_win_path 1 IoCs
Processes:
Request for Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UvAFCP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB65.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Request for Quotation.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Temp\tmpBB65.tmpFilesize
1KB
MD57520185673a829244969156c8735f526
SHA16a7ee81d60ace42b79567d302f04472d41a50ee8
SHA256a007ae8ecacc7eba847f2e88d9e162c0a065b0480ed503e3366683d1545f2eb9
SHA512ca694405344bbccc9f2cb239dcfb54b5ab152c49b6df607bc93cd03acfffc0ce0d481c685dde626fded0be5d3935fbc2c624b089648fd2e182122baab7ef636d
-
memory/2876-135-0x0000000000000000-mapping.dmp
-
memory/3856-130-0x00000000003B0000-0x0000000000438000-memory.dmpFilesize
544KB
-
memory/3856-131-0x0000000005390000-0x0000000005934000-memory.dmpFilesize
5.6MB
-
memory/3856-132-0x0000000004E80000-0x0000000004F12000-memory.dmpFilesize
584KB
-
memory/3856-133-0x0000000004DE0000-0x0000000004DEA000-memory.dmpFilesize
40KB
-
memory/3856-134-0x0000000007370000-0x000000000740C000-memory.dmpFilesize
624KB
-
memory/4520-137-0x0000000000000000-mapping.dmp
-
memory/4520-138-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4520-140-0x0000000005D70000-0x0000000005DD6000-memory.dmpFilesize
408KB
-
memory/4520-141-0x0000000006900000-0x0000000006950000-memory.dmpFilesize
320KB