Analysis
-
max time kernel
123s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:12
Static task
static1
Behavioral task
behavioral1
Sample
BalPO21504pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
BalPO21504pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
BalPO21504pdf.exe
-
Size
392KB
-
MD5
26b4ecd94509e28f4ae0fadc37982a24
-
SHA1
a08b1e93b2f33ed19c7c2d766ba6ec4b12f670c6
-
SHA256
31f91924abcb4657d19721140bb21db8b517dc6a48830c7c5dc53d819c507248
-
SHA512
422f28259d188f8d02368c0419eb212e12ca5d657340311ad11732c768dd497665e42e4b6fbc7e084ce7c724e8174551d682801fd9040b4e7f52319b6671a4ca
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
secure231.servconfig.com - Port:
587 - Username:
info@eltaef.com - Password:
eltaefSH6548883
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/560-56-0x0000000000330000-0x0000000000338000-memory.dmp coreentity -
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2000-61-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/2000-62-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/2000-63-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/2000-64-0x000000000044C92E-mapping.dmp family_agenttesla behavioral1/memory/2000-66-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/2000-68-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/560-57-0x0000000000C20000-0x0000000000C78000-memory.dmp rezer0 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
BalPO21504pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BalPO21504pdf.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BalPO21504pdf.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BalPO21504pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BalPO21504pdf.exedescription pid process target process PID 560 set thread context of 2000 560 BalPO21504pdf.exe BalPO21504pdf.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
BalPO21504pdf.exeBalPO21504pdf.exepid process 560 BalPO21504pdf.exe 560 BalPO21504pdf.exe 560 BalPO21504pdf.exe 2000 BalPO21504pdf.exe 2000 BalPO21504pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
BalPO21504pdf.exeBalPO21504pdf.exedescription pid process Token: SeDebugPrivilege 560 BalPO21504pdf.exe Token: SeDebugPrivilege 2000 BalPO21504pdf.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
BalPO21504pdf.exeBalPO21504pdf.exedescription pid process target process PID 560 wrote to memory of 1980 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 1980 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 1980 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 1980 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 1984 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 1984 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 1984 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 1984 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 2000 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 2000 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 2000 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 2000 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 2000 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 2000 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 2000 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 2000 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 560 wrote to memory of 2000 560 BalPO21504pdf.exe BalPO21504pdf.exe PID 2000 wrote to memory of 1652 2000 BalPO21504pdf.exe netsh.exe PID 2000 wrote to memory of 1652 2000 BalPO21504pdf.exe netsh.exe PID 2000 wrote to memory of 1652 2000 BalPO21504pdf.exe netsh.exe PID 2000 wrote to memory of 1652 2000 BalPO21504pdf.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
BalPO21504pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BalPO21504pdf.exe -
outlook_win_path 1 IoCs
Processes:
BalPO21504pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BalPO21504pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BalPO21504pdf.exe"C:\Users\Admin\AppData\Local\Temp\BalPO21504pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BalPO21504pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\BalPO21504pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\BalPO21504pdf.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/560-54-0x0000000000F50000-0x0000000000FB8000-memory.dmpFilesize
416KB
-
memory/560-55-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB
-
memory/560-56-0x0000000000330000-0x0000000000338000-memory.dmpFilesize
32KB
-
memory/560-57-0x0000000000C20000-0x0000000000C78000-memory.dmpFilesize
352KB
-
memory/1652-70-0x0000000000000000-mapping.dmp
-
memory/2000-61-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2000-59-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2000-62-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2000-63-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2000-64-0x000000000044C92E-mapping.dmp
-
memory/2000-66-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2000-68-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2000-58-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB