Overview

overview

10

Static

static

10

DHL Consig...df.exe

windows7-x64

10

DHL Consig...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    255s
  • max time network
    258s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2023 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Consignment Details_pdf.exe

  • Size

    605KB

  • MD5

    e915458310797b8738f816e6231e139e

  • SHA1

    5550e9bed859987c2a21fc2a3a20621805fc57bc

  • SHA256

    29887ae5301d3c3ca584a036c36c509b52006464c7edd86e756518d36ce95a81

  • SHA512

    09a8c30c5bc442873a7bf0428f8b074f01e6648273218bc6855d7a38f8485208edc8acb835647851237da4df0ffe2a0507e1a02191490b4cfe987bec5cff753b

  • SSDEEP

    6144:gINjprJlckeFAypJXSu/2I9A80ab94dhx/8NJCibbb42et5k+nV/YLGmA:/rJllzkdSW0B8M2et5Hnd

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.flood-protection.org
  • Port:
    587
  • Username:
    somc@flood-protection.org
  • Password:
    somc2424@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1716
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" wlan show profile
        3⤵
          PID:1568

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Consignment Details_pdf.exe.log
      Filesize

      804B

      MD5

      95d73ac71175aa3750ccf4ef4692eb3b

      SHA1

      00a9ff99e5df811fb4a8aa43ba13ef7a7528b084

      SHA256

      bb7b234193909320769f4b8c2036ed70f94853197d958e85cd9f2618e3f0ff64

      SHA512

      a4196ec2e01b80aca8aca478446cc26089ba7b74c2587c9d0b3ea4b8c2c62d49ceeabd56a14021e83525ae4a416667a293c5798f9ddaacb3868e9407598c7544

      Download Submit
    • memory/1632-141-0x0000000005A30000-0x0000000005A52000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1632-136-0x0000000004EE0000-0x0000000004EF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1632-134-0x0000000004EE0000-0x0000000004EF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1632-137-0x00000000055C0000-0x0000000005652000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1632-138-0x0000000006420000-0x0000000006464000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1632-139-0x0000000004EE0000-0x0000000004EF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1632-140-0x0000000004EE0000-0x0000000004EF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1632-133-0x0000000000390000-0x000000000042E000-memory.dmp
      Filesize

      632KB

      Download
    • memory/1632-135-0x0000000005A70000-0x0000000006014000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1716-153-0x0000000004DE0000-0x0000000004DF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1716-146-0x0000000004E40000-0x0000000004EDC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1716-147-0x0000000005AE0000-0x0000000005B46000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1716-148-0x0000000004DE0000-0x0000000004DF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1716-149-0x0000000004DE0000-0x0000000004DF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1716-150-0x00000000061C0000-0x0000000006210000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1716-151-0x00000000061B0000-0x00000000061BA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1716-152-0x0000000004DE0000-0x0000000004DF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1716-145-0x0000000000390000-0x00000000003E0000-memory.dmp
      Filesize

      320KB

      Download