Overview

overview

10

Static

static

Dekont.PDF.exe

windows7-x64

10

Dekont.PDF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2022 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dekont.PDF.exe

  • Size

    1.6MB

  • MD5

    76ba6964a46301e0b22a182eb1796af4

  • SHA1

    365a5c45aedadd22ad59948fcf602d814462b7a0

  • SHA256

    47646f3f8c7c4ddd4b3c216bf6c52980abe65a44fa54113d5f16d90cedd99fdd

  • SHA512

    ba56f078f1a2d38bf05466884cc715ec12ad4d8ed637fe9184cb4db3ec8e6eadfac1127c16b1955545f4a4fc12ad9b2c8a107c813adcf83e3f72c075309fa53f

  • SSDEEP

    24576:gAOcZXQO+cyQF5zO8Y78i4RBayBkvDr/DwpN6k77rvyOMhoihMhi9+zOgQVUWTA:+o8S9GyyvPDwpN6kDbUsi9LPTA

Score
10/10
agentteslablustealercollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5422204482:AAEu-I3AZCMcCehYPkAHAbI6qEwhd1OKxpk/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\1_94\DL NETIVE BOTNET LOGS.exe
      "C:\1_94\DL NETIVE BOTNET LOGS.exe" ... that Dmitri Smirnov (pictured) composed the Triple Concerto No.
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        PID:4896
    • C:\1_94\pusgniqwdg.pif
      "C:\1_94\pusgniqwdg.pif" xbpe.hvn
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:5052

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\1_94\DL NETIVE BOTNET LOGS.exe
    Filesize

    440KB

    MD5

    61f35c53811bb66d62effc5a53de458f

    SHA1

    e4507c6a3d5c3d01f19c487366044febb126ca70

    SHA256

    833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1

    SHA512

    5148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384

    Download Submit

  • C:\1_94\DL NETIVE BOTNET LOGS.exe
    Filesize

    440KB

    MD5

    61f35c53811bb66d62effc5a53de458f

    SHA1

    e4507c6a3d5c3d01f19c487366044febb126ca70

    SHA256

    833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1

    SHA512

    5148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384

    Download Submit

  • C:\1_94\phiv.noq
    Filesize

    419KB

    MD5

    9e24af62c8fd951dc8c9ebf8082e56c2

    SHA1

    4c56b3059055b4e8741611e1b55e32fd5d55fe32

    SHA256

    74d6840ebabc919b6399358bbce8507f2da165d12f95bb144ef73f0b0ebb3936

    SHA512

    433152ff88dcdeb7a23606702ea61c26ce75902bb9d6f631e8e589145c3483ac408ac88ba7b9ae3443084389107bf6622ad532e78abec8e120f3fc0a21a8b2fe

    Download Submit

  • C:\1_94\pusgniqwdg.pif
    Filesize

    820KB

    MD5

    0c996fa7285452f1302d8c781bd72972

    SHA1

    93b2a1bce155afec134804b3a2ef6b40ac0a4178

    SHA256

    470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f

    SHA512

    e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e

    Download Submit

  • C:\1_94\pusgniqwdg.pif
    Filesize

    820KB

    MD5

    0c996fa7285452f1302d8c781bd72972

    SHA1

    93b2a1bce155afec134804b3a2ef6b40ac0a4178

    SHA256

    470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f

    SHA512

    e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e

    Download Submit

  • C:\1_94\vxve.exe
    Filesize

    59KB

    MD5

    c739ed663921f7c2cd1e806f46b32d92

    SHA1

    ae5b9711392c0972add32635c60da5b1a807074f

    SHA256

    8822b0a84853c52e7595a26c1827adf0c659065bc93fc81a97791014a8770218

    SHA512

    e167b4a07e585ee5b1fb45ee68a002618f0cc7f8415875a4b4121c113369a0b786665d02ee615237b5867c311e646e13131f281b519d76ead236d80b8781d6e1

    Download Submit

  • C:\1_94\xbpe.hvn
    Filesize

    218.9MB

    MD5

    9162c8e0ae1fad9e706248b904a9e1cd

    SHA1

    b7b90b6e3e422c3b0e008878e9609408839cc578

    SHA256

    3739cf8b42b0295579592aa2cfbdfa138f387803e198d9c68967bd0fef694c1e

    SHA512

    91ddbf165ba945072c790af134b8e128ef317dc3e7c0174eb8faae43da68138dbbbf02da97b034df2ae91a2aa38aae5fccd636942a63d84ffded26a9e3b5679d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit

  • memory/4896-144-0x0000000005310000-0x00000000053AC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4896-142-0x0000000000C00000-0x0000000000C66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5052-146-0x0000000000C00000-0x00000000012A6000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/5052-150-0x0000000000C00000-0x0000000000C3A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/5052-151-0x0000000005DE0000-0x0000000006384000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5052-152-0x0000000005D70000-0x0000000005DD6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5052-153-0x0000000006B10000-0x0000000006B60000-memory.dmp

    Filesize

    320KB

    Download

  • memory/5052-154-0x0000000006E40000-0x0000000006ED2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5052-155-0x0000000006DF0000-0x0000000006DFA000-memory.dmp

    Filesize

    40KB

    Download