Analysis
-
max time kernel
255s -
max time network
258s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2023 07:59
Behavioral task
behavioral1
Sample
DHL Consignment Details_pdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DHL Consignment Details_pdf.exe
Resource
win10v2004-20230220-en
General
-
Target
DHL Consignment Details_pdf.exe
-
Size
605KB
-
MD5
e915458310797b8738f816e6231e139e
-
SHA1
5550e9bed859987c2a21fc2a3a20621805fc57bc
-
SHA256
29887ae5301d3c3ca584a036c36c509b52006464c7edd86e756518d36ce95a81
-
SHA512
09a8c30c5bc442873a7bf0428f8b074f01e6648273218bc6855d7a38f8485208edc8acb835647851237da4df0ffe2a0507e1a02191490b4cfe987bec5cff753b
-
SSDEEP
6144:gINjprJlckeFAypJXSu/2I9A80ab94dhx/8NJCibbb42et5k+nV/YLGmA:/rJllzkdSW0B8M2et5Hnd
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.flood-protection.org - Port:
587 - Username:
somc@flood-protection.org - Password:
somc2424@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1632-133-0x0000000000390000-0x000000000042E000-memory.dmp family_agenttesla behavioral2/memory/1716-145-0x0000000000390000-0x00000000003E0000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DHL Consignment Details_pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL Consignment Details_pdf.exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL Consignment Details_pdf.exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL Consignment Details_pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL Consignment Details_pdf.exedescription pid process target process PID 1632 set thread context of 1716 1632 DHL Consignment Details_pdf.exe DHL Consignment Details_pdf.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
DHL Consignment Details_pdf.exeDHL Consignment Details_pdf.exepid process 1632 DHL Consignment Details_pdf.exe 1632 DHL Consignment Details_pdf.exe 1632 DHL Consignment Details_pdf.exe 1716 DHL Consignment Details_pdf.exe 1716 DHL Consignment Details_pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL Consignment Details_pdf.exeDHL Consignment Details_pdf.exedescription pid process Token: SeDebugPrivilege 1632 DHL Consignment Details_pdf.exe Token: SeDebugPrivilege 1716 DHL Consignment Details_pdf.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
DHL Consignment Details_pdf.exeDHL Consignment Details_pdf.exedescription pid process target process PID 1632 wrote to memory of 1716 1632 DHL Consignment Details_pdf.exe DHL Consignment Details_pdf.exe PID 1632 wrote to memory of 1716 1632 DHL Consignment Details_pdf.exe DHL Consignment Details_pdf.exe PID 1632 wrote to memory of 1716 1632 DHL Consignment Details_pdf.exe DHL Consignment Details_pdf.exe PID 1632 wrote to memory of 1716 1632 DHL Consignment Details_pdf.exe DHL Consignment Details_pdf.exe PID 1632 wrote to memory of 1716 1632 DHL Consignment Details_pdf.exe DHL Consignment Details_pdf.exe PID 1632 wrote to memory of 1716 1632 DHL Consignment Details_pdf.exe DHL Consignment Details_pdf.exe PID 1632 wrote to memory of 1716 1632 DHL Consignment Details_pdf.exe DHL Consignment Details_pdf.exe PID 1632 wrote to memory of 1716 1632 DHL Consignment Details_pdf.exe DHL Consignment Details_pdf.exe PID 1716 wrote to memory of 1568 1716 DHL Consignment Details_pdf.exe netsh.exe PID 1716 wrote to memory of 1568 1716 DHL Consignment Details_pdf.exe netsh.exe PID 1716 wrote to memory of 1568 1716 DHL Consignment Details_pdf.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
DHL Consignment Details_pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL Consignment Details_pdf.exe -
outlook_win_path 1 IoCs
Processes:
DHL Consignment Details_pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL Consignment Details_pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Consignment Details_pdf.exe.logFilesize
804B
MD595d73ac71175aa3750ccf4ef4692eb3b
SHA100a9ff99e5df811fb4a8aa43ba13ef7a7528b084
SHA256bb7b234193909320769f4b8c2036ed70f94853197d958e85cd9f2618e3f0ff64
SHA512a4196ec2e01b80aca8aca478446cc26089ba7b74c2587c9d0b3ea4b8c2c62d49ceeabd56a14021e83525ae4a416667a293c5798f9ddaacb3868e9407598c7544
-
memory/1632-141-0x0000000005A30000-0x0000000005A52000-memory.dmpFilesize
136KB
-
memory/1632-136-0x0000000004EE0000-0x0000000004EF0000-memory.dmpFilesize
64KB
-
memory/1632-134-0x0000000004EE0000-0x0000000004EF0000-memory.dmpFilesize
64KB
-
memory/1632-137-0x00000000055C0000-0x0000000005652000-memory.dmpFilesize
584KB
-
memory/1632-138-0x0000000006420000-0x0000000006464000-memory.dmpFilesize
272KB
-
memory/1632-139-0x0000000004EE0000-0x0000000004EF0000-memory.dmpFilesize
64KB
-
memory/1632-140-0x0000000004EE0000-0x0000000004EF0000-memory.dmpFilesize
64KB
-
memory/1632-133-0x0000000000390000-0x000000000042E000-memory.dmpFilesize
632KB
-
memory/1632-135-0x0000000005A70000-0x0000000006014000-memory.dmpFilesize
5.6MB
-
memory/1716-153-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/1716-146-0x0000000004E40000-0x0000000004EDC000-memory.dmpFilesize
624KB
-
memory/1716-147-0x0000000005AE0000-0x0000000005B46000-memory.dmpFilesize
408KB
-
memory/1716-148-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/1716-149-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/1716-150-0x00000000061C0000-0x0000000006210000-memory.dmpFilesize
320KB
-
memory/1716-151-0x00000000061B0000-0x00000000061BA000-memory.dmpFilesize
40KB
-
memory/1716-152-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/1716-145-0x0000000000390000-0x00000000003E0000-memory.dmpFilesize
320KB