Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-06-2022 08:25
Static task
static1
Behavioral task
behavioral1
Sample
sample listings skptpdf0842.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
sample listings skptpdf0842.js
Resource
win10v2004-20220414-en
General
-
Target
sample listings skptpdf0842.js
-
Size
456KB
-
MD5
c7e2d34c8e775bc3f982b02fee75dfe3
-
SHA1
2244832b9f0f23c108237e62083874736c19cae4
-
SHA256
43f03e4c89f5b041b57fd4c2e8a79295f59a700f18cbaffca5853e7c514c9809
-
SHA512
b87293cac0ace72c522859455e1d495ab8c295b9c2743615530e6e3d1997a52bc4b70ce2662d6f4b96ec19112eeab25e0e770f61d715cdde61604943f4a4cb63
Malware Config
Extracted
Protocol: smtp- Host:
smtpout.secureserver.net - Port:
587 - Username:
[email protected] - Password:
talific123$
Extracted
agenttesla
Protocol: smtp- Host:
smtpout.secureserver.net - Port:
587 - Username:
[email protected] - Password:
talific123$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 5 2608 wscript.exe 15 2608 wscript.exe 21 2608 wscript.exe 22 2608 wscript.exe 29 2608 wscript.exe 38 2608 wscript.exe 41 2608 wscript.exe 44 2608 wscript.exe 45 2608 wscript.exe 46 2608 wscript.exe 49 2608 wscript.exe 50 2608 wscript.exe 51 2608 wscript.exe 52 2608 wscript.exe 53 2608 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
FMAN-BIN.exepid process 3236 FMAN-BIN.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xKiVqeKLaG.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xKiVqeKLaG.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
FMAN-BIN.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FMAN-BIN.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FMAN-BIN.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FMAN-BIN.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
wscript.exeFMAN-BIN.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\xKiVqeKLaG.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puJISYW = "C:\\Users\\Admin\\AppData\\Roaming\\puJISYW\\puJISYW.exe" FMAN-BIN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
FMAN-BIN.exepid process 3236 FMAN-BIN.exe 3236 FMAN-BIN.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FMAN-BIN.exedescription pid process Token: SeDebugPrivilege 3236 FMAN-BIN.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
FMAN-BIN.exepid process 3236 FMAN-BIN.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 2388 wrote to memory of 2608 2388 wscript.exe wscript.exe PID 2388 wrote to memory of 2608 2388 wscript.exe wscript.exe PID 2388 wrote to memory of 3236 2388 wscript.exe FMAN-BIN.exe PID 2388 wrote to memory of 3236 2388 wscript.exe FMAN-BIN.exe PID 2388 wrote to memory of 3236 2388 wscript.exe FMAN-BIN.exe -
outlook_office_path 1 IoCs
Processes:
FMAN-BIN.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FMAN-BIN.exe -
outlook_win_path 1 IoCs
Processes:
FMAN-BIN.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FMAN-BIN.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\sample listings skptpdf0842.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\xKiVqeKLaG.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\FMAN-BIN.exe"C:\Users\Admin\AppData\Local\Temp\FMAN-BIN.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FMAN-BIN.exeFilesize
210KB
MD5477692680d4b8f9654974a3a5f0e2e99
SHA1276c7d77d8e94574b43e8f36031c0381b0a839e8
SHA2566e264be8b403141a521201dc0155ce5bca75e91d4da54f162aee955f8f5f0102
SHA5126cf57f48f15a4ebf5b61e004680f88088db598de64601ee7f6e2e22db2043226a572c3fc26504e63cd1777c13a115602c005b408908e9d48258f03b588e05642
-
C:\Users\Admin\AppData\Local\Temp\FMAN-BIN.exeFilesize
210KB
MD5477692680d4b8f9654974a3a5f0e2e99
SHA1276c7d77d8e94574b43e8f36031c0381b0a839e8
SHA2566e264be8b403141a521201dc0155ce5bca75e91d4da54f162aee955f8f5f0102
SHA5126cf57f48f15a4ebf5b61e004680f88088db598de64601ee7f6e2e22db2043226a572c3fc26504e63cd1777c13a115602c005b408908e9d48258f03b588e05642
-
C:\Users\Admin\AppData\Roaming\xKiVqeKLaG.jsFilesize
28KB
MD54ea41872b7b6651444b138e32c83e985
SHA1d4b2cb42fa5c7fab5783ff00bdd97438f8ec16d2
SHA256b8e28ceb4998924d08c07c23787b4cd1fae87e6afc0737a2f87ee675322e64f4
SHA5123d039f38ebc4d72ef1e26870ff8887b491334281e817016986c6e48e1edd5293ea9ea49d8bce21948c616ad17b3b8fe3eda4bda4f18aaebd77eccbf7d8171f48
-
memory/2608-130-0x0000000000000000-mapping.dmp
-
memory/3236-132-0x0000000000000000-mapping.dmp
-
memory/3236-135-0x0000000000290000-0x00000000002CA000-memory.dmpFilesize
232KB
-
memory/3236-136-0x0000000005310000-0x00000000058B4000-memory.dmpFilesize
5.6MB
-
memory/3236-137-0x0000000004D60000-0x0000000004DFC000-memory.dmpFilesize
624KB
-
memory/3236-138-0x0000000005270000-0x00000000052D6000-memory.dmpFilesize
408KB
-
memory/3236-139-0x0000000005FF0000-0x0000000006040000-memory.dmpFilesize
320KB
-
memory/3236-140-0x0000000006220000-0x00000000062B2000-memory.dmpFilesize
584KB
-
memory/3236-141-0x00000000061D0000-0x00000000061DA000-memory.dmpFilesize
40KB