Analysis
-
max time kernel
149s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-es -
resource tags
arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
10-02-2023 10:50
Behavioral task
behavioral1
Sample
CAIXABAN.exe
Resource
win7-20220812-es
Behavioral task
behavioral2
Sample
CAIXABAN.exe
Resource
win10v2004-20221111-es
General
-
Target
CAIXABAN.exe
-
Size
72KB
-
MD5
fe3ab924e1d37874593b376966d5440f
-
SHA1
9a6e8a32dbdac605421d987022f0bd12ed6fa415
-
SHA256
c6f61c3603ed074cec9af4cf5b6c4f56ef5d476e4cb06e21e5c1b313128b4e0d
-
SHA512
68c48f55f875dbd9781df595ffc2812b4e776a90a46d2e4ece114b079e3e0537d461f8da58947c4b9d029dfb5e3d30994861231d8e7280fc807a31e160dade0e
-
SSDEEP
384:o8SOHLPTDeUzpNGkrdwTXCZB9i3oN6anxOPz0GwJ3TDCYt/9QylTW:o8rLyUfi3yLDTVW
Malware Config
Extracted
purecrypter
http://superbtanzaniasafaris.com/zav/Qtpprpwy.bmp
Extracted
agenttesla
Protocol: smtp- Host:
mail.humanpower.vn - Port:
587 - Username:
sales@humanpower.vn - Password:
xlA}CL.(Jj8C - Email To:
brimax@ventadeasfaltorc-250enlima.pe
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation CAIXABAN.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CAIXABAN.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CAIXABAN.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CAIXABAN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ryjtppsu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ulrfeummho\\Ryjtppsu.exe\"" CAIXABAN.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4872 set thread context of 1660 4872 CAIXABAN.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1944 powershell.exe 1944 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4872 CAIXABAN.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 1660 CAIXABAN.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4872 wrote to memory of 1944 4872 CAIXABAN.exe 81 PID 4872 wrote to memory of 1944 4872 CAIXABAN.exe 81 PID 4872 wrote to memory of 1944 4872 CAIXABAN.exe 81 PID 4872 wrote to memory of 1660 4872 CAIXABAN.exe 85 PID 4872 wrote to memory of 1660 4872 CAIXABAN.exe 85 PID 4872 wrote to memory of 1660 4872 CAIXABAN.exe 85 PID 4872 wrote to memory of 1660 4872 CAIXABAN.exe 85 PID 4872 wrote to memory of 1660 4872 CAIXABAN.exe 85 PID 4872 wrote to memory of 1660 4872 CAIXABAN.exe 85 PID 4872 wrote to memory of 1660 4872 CAIXABAN.exe 85 PID 4872 wrote to memory of 1660 4872 CAIXABAN.exe 85 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CAIXABAN.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CAIXABAN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe"C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exeC:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1660
-
Network
-
Remote address:8.8.8.8:53Requestsuperbtanzaniasafaris.comIN AResponsesuperbtanzaniasafaris.comIN A198.54.116.34
-
Remote address:198.54.116.34:80RequestGET /zav/Qtpprpwy.bmp HTTP/1.1
Host: superbtanzaniasafaris.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
cache-control: public, max-age=31536000
expires: Sat, 10 Feb 2024 10:51:28 GMT
content-type: image/bmp
last-modified: Fri, 10 Feb 2023 06:52:27 GMT
etag: "ecfb1-63e5e9ab-0;;;"
accept-ranges: bytes
content-length: 970673
date: Fri, 10 Feb 2023 10:51:28 GMT
server: LiteSpeed
referrer-policy: no-referrer-when-downgrade
x-turbo-charged-by: LiteSpeed
-
Remote address:8.8.8.8:53Requestapi.ipify.orgIN AResponseapi.ipify.orgIN CNAMEapi4.ipify.orgapi4.ipify.orgIN A64.185.227.155api4.ipify.orgIN A173.231.16.76api4.ipify.orgIN A104.237.62.211
-
Remote address:8.8.8.8:53Request96.108.152.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.110.152.52.in-addr.arpaIN PTRResponse
-
17.2kB 999.8kB 371 717
HTTP Request
GET http://superbtanzaniasafaris.com/zav/Qtpprpwy.bmpHTTP Response
200 -
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
260 B 5
-
260 B 5
-
322 B 7
-
208 B 4
-
260 B 5
-
260 B 5
-
260 B 5
-
71 B 87 B 1 1
DNS Request
superbtanzaniasafaris.com
DNS Response
198.54.116.34
-
59 B 126 B 1 1
DNS Request
api.ipify.org
DNS Response
64.185.227.155173.231.16.76104.237.62.211
-
72 B 146 B 1 1
DNS Request
96.108.152.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
14.110.152.52.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fa566c9cc0cdfc2479d186ed2a7d2078
SHA1a4f5bc2d5d055a766b19f095f0a670eeda57c24b
SHA256bccaf63847951e065e8af3714593cdd2f8ecb76b384c1f7c71e3cd89df314960
SHA512ab3efa28f6f90dddde1472a474e26874e21248cc26603acb582ceb419e81165f4dc1044551755635dc6fd89600cbe0f1daec2ccb185fe77c68df16622e53396f