Overview

overview

10

Static

static

1

JUSTIFICAN...df.exe

windows7-x64

10

JUSTIFICAN...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 06:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JUSTIFICANTE DE PAGO30032023pdf.exe

  • Size

    766KB

  • MD5

    08422117b96b96d5164ef061bf874307

  • SHA1

    3ff48d4a298db79468ab8716a9814f2fe703e031

  • SHA256

    46903e776f2014fcd877ba071d2707c749ddae140e7682f5cc00c894914f3303

  • SHA512

    22bdb0737d070e0783cdb2d311d827215b750d16ce29345266812ba61d2d9067c0bbe865df34dab37e9af56c96fba63547f7bf05cd1b7c1c8af10d4233102fc4

  • SSDEEP

    12288:/ghti/pIS61qK7fXHUoTQDsqRaKbygMG9IFqnWAQsZufEIx5tx715v1:4O2A0fXHUSkdRPy1GRWAQRMIxTR13

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO30032023pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO30032023pdf.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4500
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO30032023pdf.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:1588
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 2212
        3⤵
        • Program crash
        PID:4460
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1588 -ip 1588
    1⤵
      PID:3676

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\AdvSplash.dll
      Filesize

      6KB

      MD5

      505c7c214c17ac801f5930abc57d38c3

      SHA1

      e9a17ed8182f92bf86babbd7ba8dd8770e8ff47e

      SHA256

      999ebf5ef6bf51828193deaf7697e6d22419e437c65e603bffa0bb2acc7f40c8

      SHA512

      30686f361db9d81c95912700af530529d4d89bf6b514a63ab5db6b20efc443b87aef44b598e45d33adee448ec1b6573ca035a1d20e11c78ea8253f1ecf5ebf38

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\System.dll
      Filesize

      11KB

      MD5

      a4dd044bcd94e9b3370ccf095b31f896

      SHA1

      17c78201323ab2095bc53184aa8267c9187d5173

      SHA256

      2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

      SHA512

      87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

      Download Submit
    • memory/1588-167-0x0000000000C00000-0x0000000003EE5000-memory.dmp
      Filesize

      50.9MB

      Download
    • memory/1588-168-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1588-151-0x0000000000C00000-0x0000000003EE5000-memory.dmp
      Filesize

      50.9MB

      Download
    • memory/1588-161-0x0000000000400000-0x000000000062B000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/1588-165-0x0000000000400000-0x000000000062B000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/1588-166-0x0000000000C00000-0x0000000003EE5000-memory.dmp
      Filesize

      50.9MB

      Download
    • memory/1588-175-0x0000000000C00000-0x0000000003EE5000-memory.dmp
      Filesize

      50.9MB

      Download
    • memory/1588-173-0x0000000037A10000-0x0000000037A1A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1588-169-0x00000000373E0000-0x0000000037984000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1588-171-0x0000000000910000-0x0000000000920000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1588-170-0x0000000000920000-0x0000000000986000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1588-172-0x0000000037A30000-0x0000000037AC2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4500-150-0x00000000049E0000-0x0000000007CC5000-memory.dmp
      Filesize

      50.9MB

      Download
    • memory/4500-149-0x00000000049E0000-0x0000000007CC5000-memory.dmp
      Filesize

      50.9MB

      Download