Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 12:19
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA FATURA.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
PROFORMA FATURA.exe
Resource
win10v2004-20231130-en
General
-
Target
PROFORMA FATURA.exe
-
Size
832KB
-
MD5
4cc3e6a5b1f5473111ed0fe08c85455b
-
SHA1
5c13bab0cff294b13c0542fca040c19ec94e2967
-
SHA256
394633bc848d312c2e79e48b1b10eadbce297624c6b844d4f643d93b1fb33c35
-
SHA512
58ec9c7407439d5143a2614add8bd79063be03cc94539628ceb7290b362c1ff0e9a2884cae59700151a60d1b55db1ca3da4e395196137b89af443ceed19963c5
-
SSDEEP
12288:ac5nF8ME6jD/yecHhUHkWlijOnpmz32LP7PP0WKLcuCgRNwgqYqRe:acPtD/yeGXWliGmzGLjZdgRSgqg
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
zqamcx.com - Port:
587 - Username:
[email protected] - Password:
Methodman991 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROFORMA FATURA.exedescription pid process target process PID 1740 set thread context of 2540 1740 PROFORMA FATURA.exe PROFORMA FATURA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
PROFORMA FATURA.exePROFORMA FATURA.exepowershell.exepowershell.exepid process 1740 PROFORMA FATURA.exe 1740 PROFORMA FATURA.exe 1740 PROFORMA FATURA.exe 1740 PROFORMA FATURA.exe 1740 PROFORMA FATURA.exe 1740 PROFORMA FATURA.exe 1740 PROFORMA FATURA.exe 1740 PROFORMA FATURA.exe 1740 PROFORMA FATURA.exe 1740 PROFORMA FATURA.exe 1740 PROFORMA FATURA.exe 1740 PROFORMA FATURA.exe 2540 PROFORMA FATURA.exe 2540 PROFORMA FATURA.exe 2712 powershell.exe 2676 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PROFORMA FATURA.exePROFORMA FATURA.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1740 PROFORMA FATURA.exe Token: SeDebugPrivilege 2540 PROFORMA FATURA.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2676 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PROFORMA FATURA.exepid process 2540 PROFORMA FATURA.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
PROFORMA FATURA.exedescription pid process target process PID 1740 wrote to memory of 2676 1740 PROFORMA FATURA.exe powershell.exe PID 1740 wrote to memory of 2676 1740 PROFORMA FATURA.exe powershell.exe PID 1740 wrote to memory of 2676 1740 PROFORMA FATURA.exe powershell.exe PID 1740 wrote to memory of 2676 1740 PROFORMA FATURA.exe powershell.exe PID 1740 wrote to memory of 2712 1740 PROFORMA FATURA.exe powershell.exe PID 1740 wrote to memory of 2712 1740 PROFORMA FATURA.exe powershell.exe PID 1740 wrote to memory of 2712 1740 PROFORMA FATURA.exe powershell.exe PID 1740 wrote to memory of 2712 1740 PROFORMA FATURA.exe powershell.exe PID 1740 wrote to memory of 2328 1740 PROFORMA FATURA.exe schtasks.exe PID 1740 wrote to memory of 2328 1740 PROFORMA FATURA.exe schtasks.exe PID 1740 wrote to memory of 2328 1740 PROFORMA FATURA.exe schtasks.exe PID 1740 wrote to memory of 2328 1740 PROFORMA FATURA.exe schtasks.exe PID 1740 wrote to memory of 2540 1740 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1740 wrote to memory of 2540 1740 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1740 wrote to memory of 2540 1740 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1740 wrote to memory of 2540 1740 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1740 wrote to memory of 2540 1740 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1740 wrote to memory of 2540 1740 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1740 wrote to memory of 2540 1740 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1740 wrote to memory of 2540 1740 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1740 wrote to memory of 2540 1740 PROFORMA FATURA.exe PROFORMA FATURA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA FATURA.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA FATURA.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PROFORMA FATURA.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ocsLtLXucVcFxs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ocsLtLXucVcFxs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE84C.tmp"2⤵
- Creates scheduled task(s)
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\PROFORMA FATURA.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA FATURA.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD533d6c5d3fa368f031a935177ffdccb0f
SHA15226063018a8c1992fcd5263ed037a43737936cf
SHA256f146c1c5f8421de5d32428f838f69160fa02c6c0cd7cf04a50bf8c270ba7d711
SHA512fd740f3de450b9d7a883a3a020ab758686ca1fdf30c94906a8a41af4a73bbaf3a8e4e6e0eeb193b80fcf5a2c44cd3b162d02d357f6681937d1a8aadc38b24f93
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2OQPQ0GZ5V6VJ25KRWYT.temp
Filesize7KB
MD56b3ac39b02e6449486f7f1be1981cbe6
SHA1aac302d886bd934af94e706cc53616457e3b4798
SHA25600dbab07f1009bc4b569af721a58001b0cf37b01156ef116b9e4ca668f514f36
SHA512c063da942270758227fc7c7ab15da142173c11ca81b3b3e45d6afec1b3ba58a7940e8ac6149e0b07713a1c43cbbe9368d66d28ed558c5a14556131beb1ddef23
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD56b3ac39b02e6449486f7f1be1981cbe6
SHA1aac302d886bd934af94e706cc53616457e3b4798
SHA25600dbab07f1009bc4b569af721a58001b0cf37b01156ef116b9e4ca668f514f36
SHA512c063da942270758227fc7c7ab15da142173c11ca81b3b3e45d6afec1b3ba58a7940e8ac6149e0b07713a1c43cbbe9368d66d28ed558c5a14556131beb1ddef23