Malware Analysis Report

2024-11-30 21:48

Sample ID 230210-mxff2acb77
Target CaixaBank_ Documento de Pago_Pdf.iso
SHA256 29d212f84a154cdc5f3d9427f03113e9681dee943963a9779f466ecadab0ed40
Tags
purecrypter agenttesla collection downloader keylogger loader persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29d212f84a154cdc5f3d9427f03113e9681dee943963a9779f466ecadab0ed40

Threat Level: Known bad

The file CaixaBank_ Documento de Pago_Pdf.iso was found to be: Known bad.

Malicious Activity Summary

purecrypter agenttesla collection downloader keylogger loader persistence spyware stealer trojan

Purecrypter family

PureCrypter

AgentTesla

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks computer location settings

Reads user/profile data of local email clients

Adds Run key to start application

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious use of WriteProcessMemory

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-10 10:50

Signatures

Purecrypter family

purecrypter

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-10 10:50

Reported

2023-02-10 10:53

Platform

win7-20220812-es

Max time kernel

152s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

PureCrypter

loader downloader purecrypter

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ryjtppsu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ulrfeummho\\Ryjtppsu.exe\"" C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 832 set thread context of 1792 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 832 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 832 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 832 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 832 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 832 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 832 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe

"C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe

C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe

C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe

C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe

C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe

C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 superbtanzaniasafaris.com udp
US 198.54.116.34:80 superbtanzaniasafaris.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.237.62.211:443 api.ipify.org tcp

Files

memory/832-54-0x0000000000EC0000-0x0000000000ED8000-memory.dmp

memory/832-55-0x0000000076CE1000-0x0000000076CE3000-memory.dmp

memory/832-56-0x0000000005BE0000-0x0000000005C94000-memory.dmp

memory/832-57-0x00000000009B0000-0x00000000009CA000-memory.dmp

memory/1248-58-0x0000000000000000-mapping.dmp

memory/1248-60-0x000000006ECD0000-0x000000006F27B000-memory.dmp

memory/1248-61-0x000000006ECD0000-0x000000006F27B000-memory.dmp

memory/1248-62-0x000000006ECD0000-0x000000006F27B000-memory.dmp

memory/1792-63-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1792-64-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1792-66-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1792-67-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1792-69-0x000000000042A56E-mapping.dmp

memory/1792-68-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1792-71-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1792-73-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-10 10:50

Reported

2023-02-10 10:53

Platform

win10v2004-20221111-es

Max time kernel

149s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

PureCrypter

loader downloader purecrypter

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ryjtppsu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ulrfeummho\\Ryjtppsu.exe\"" C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4872 set thread context of 1660 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 4872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 4872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 4872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 4872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 4872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 4872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe
PID 4872 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe

"C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe

C:\Users\Admin\AppData\Local\Temp\CAIXABAN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 superbtanzaniasafaris.com udp
US 198.54.116.34:80 superbtanzaniasafaris.com tcp
NL 8.238.20.126:80 tcp
NL 104.80.225.205:443 tcp
US 20.42.72.131:443 tcp
NL 8.238.20.126:80 tcp
NL 8.238.20.126:80 tcp
NL 8.238.20.126:80 tcp
NL 8.238.20.126:80 tcp
NL 8.238.20.126:80 tcp
NL 8.238.21.126:80 tcp
US 52.109.13.62:443 tcp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.155:443 api.ipify.org tcp
US 40.77.2.164:443 tcp
US 67.26.109.254:80 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 52.109.13.62:443 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp

Files

memory/4872-132-0x0000000000DC0000-0x0000000000DD8000-memory.dmp

memory/4872-133-0x0000000005DF0000-0x0000000006394000-memory.dmp

memory/4872-134-0x0000000005840000-0x00000000058D2000-memory.dmp

memory/4872-135-0x00000000067B0000-0x00000000067F0000-memory.dmp

memory/4872-136-0x0000000007480000-0x00000000074A2000-memory.dmp

memory/1944-137-0x0000000000000000-mapping.dmp

memory/1944-138-0x0000000002560000-0x0000000002596000-memory.dmp

memory/1944-139-0x0000000005150000-0x0000000005778000-memory.dmp

memory/1944-140-0x0000000004E00000-0x0000000004E82000-memory.dmp

memory/1944-141-0x0000000005850000-0x00000000058B6000-memory.dmp

memory/1944-142-0x00000000058C0000-0x0000000005926000-memory.dmp

memory/1944-143-0x0000000005830000-0x0000000005840000-memory.dmp

memory/1944-144-0x0000000005EE0000-0x0000000005FE2000-memory.dmp

memory/1944-145-0x0000000006070000-0x000000000608E000-memory.dmp

memory/1944-146-0x00000000078B0000-0x0000000007F2A000-memory.dmp

memory/1944-147-0x0000000006570000-0x000000000658A000-memory.dmp

memory/1660-148-0x0000000000000000-mapping.dmp

memory/1660-149-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CAIXABAN.exe.log

MD5 fa566c9cc0cdfc2479d186ed2a7d2078
SHA1 a4f5bc2d5d055a766b19f095f0a670eeda57c24b
SHA256 bccaf63847951e065e8af3714593cdd2f8ecb76b384c1f7c71e3cd89df314960
SHA512 ab3efa28f6f90dddde1472a474e26874e21248cc26603acb582ceb419e81165f4dc1044551755635dc6fd89600cbe0f1daec2ccb185fe77c68df16622e53396f

memory/1660-151-0x0000000006B70000-0x0000000006B7A000-memory.dmp

memory/1660-152-0x0000000006B80000-0x0000000006BD0000-memory.dmp