Overview

overview

10

Static

static

1

BL-SHIPPIN...TS.exe

windows7-x64

8

BL-SHIPPIN...TS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BL-SHIPPING DOCUMENTS.exe

  • Size

    928KB

  • MD5

    45c41df318e24e20adb94219d4906ff4

  • SHA1

    e771d4f59b1d95c5602d1e40f2da9e62c053b1ab

  • SHA256

    2f3c179b97541b711d8926cf95673e1bcdbd2ce6ed22980abf88ba689ab2f21d

  • SHA512

    cdb4c45a14fba31d6e002c8ef8a59412974d03d0671edbcc0e715089b38623a1817579c800bb6b3bd36ec423f58ce42a5ce40cbd8aa24a1f9d6e49bde527ebf1

  • SSDEEP

    24576:Ha8XJqYPStVPYmOlLltOOr3C1zC+GGOG4emawVl9R9:HF1PSkl73H+GS4XawVrT

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe
    "C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Local\Temp\bbograbg.exe
      "C:\Users\Admin\AppData\Local\Temp\bbograbg.exe" "C:\Users\Admin\AppData\Local\Temp\pnfxc.au3"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Users\Admin\AppData\Local\Temp\bbograbg.exe
        "C:\Users\Admin\AppData\Local\Temp\bbograbg.exe" "C:\Users\Admin\AppData\Local\Temp\pnfxc.au3"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bbograbg.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bbograbg.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bbograbg.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\epivs.kd
    Filesize

    295KB

    MD5

    38a2786b590080213f63dcc3967127f5

    SHA1

    b5b87e66ad7778044a00b6e5232cb833f0ccbf3d

    SHA256

    de49ac9c35e73ae7410b46f2d0ac0eadb38a0f088e28ea90fdaf5793f017f1f2

    SHA512

    cfca9e7da8f37e636db6cb2b161027a81f76eb1ea28e3736589215f0a942310e7bca2b01936c8ca719c547e8617c6e32021eaee055bd0ef1ce9d8e87855f1150

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\flnfhvzb.mfb
    Filesize

    57KB

    MD5

    9639f517d0a70b3591e6ae53fd4fbad9

    SHA1

    4ad59a6d5f8f37d11b42a1ecc5bf16fe2f83079f

    SHA256

    d904bde2c2e74f218f795c24df824fe42ca01824cd74ad7e069aef4f814a899e

    SHA512

    525bc0af6edea3912b7e61add88474b01cff6fa295dc33aefc7c0976e8ca2b4613d90f073bbff9f387798368f53016884e2789d66d6cad0be4d4b6fd5c6a3265

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pnfxc.au3
    Filesize

    5KB

    MD5

    9b259373b2886de89bbf942070eb210e

    SHA1

    b83f27fe56cdc82e891432bd436189da5e689948

    SHA256

    b40e90cf1e999b3ed7cbd50281f9a3bee1a7dffa3896dbdb90bcce097cad577b

    SHA512

    be271f9fa5b7bdc356f1d16517ebd0111327b2271f15c143d44697b7b0838d29252e66c031136570f9560ef0682f9501911ed3659df78f1ff15976534c60506a

    Download Submit
  • memory/2496-136-0x0000000001BE0000-0x0000000001DF0000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/2496-132-0x0000000000000000-mapping.dmp
    Download
  • memory/3028-139-0x0000000000000000-mapping.dmp
    Download
  • memory/3028-141-0x0000000005ED0000-0x0000000006474000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3028-142-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/3028-143-0x00000000059C0000-0x0000000005A5C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3028-144-0x00000000071C0000-0x0000000007226000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3028-145-0x00000000073F0000-0x0000000007440000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3028-146-0x0000000007520000-0x00000000075B2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3028-147-0x0000000007A10000-0x0000000007A1A000-memory.dmp
    Filesize

    40KB

    Download