Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:03
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA FATURA.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
PROFORMA FATURA.exe
Resource
win10v2004-20231130-en
General
-
Target
PROFORMA FATURA.exe
-
Size
832KB
-
MD5
4cc3e6a5b1f5473111ed0fe08c85455b
-
SHA1
5c13bab0cff294b13c0542fca040c19ec94e2967
-
SHA256
394633bc848d312c2e79e48b1b10eadbce297624c6b844d4f643d93b1fb33c35
-
SHA512
58ec9c7407439d5143a2614add8bd79063be03cc94539628ceb7290b362c1ff0e9a2884cae59700151a60d1b55db1ca3da4e395196137b89af443ceed19963c5
-
SSDEEP
12288:ac5nF8ME6jD/yecHhUHkWlijOnpmz32LP7PP0WKLcuCgRNwgqYqRe:acPtD/yeGXWliGmzGLjZdgRSgqg
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
zqamcx.com - Port:
587 - Username:
[email protected] - Password:
Methodman991 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROFORMA FATURA.exedescription pid process target process PID 1560 set thread context of 2408 1560 PROFORMA FATURA.exe PROFORMA FATURA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
PROFORMA FATURA.exepowershell.exepowershell.exePROFORMA FATURA.exepid process 1560 PROFORMA FATURA.exe 1560 PROFORMA FATURA.exe 1560 PROFORMA FATURA.exe 1560 PROFORMA FATURA.exe 1560 PROFORMA FATURA.exe 1560 PROFORMA FATURA.exe 1560 PROFORMA FATURA.exe 1560 PROFORMA FATURA.exe 1560 PROFORMA FATURA.exe 1560 PROFORMA FATURA.exe 1560 PROFORMA FATURA.exe 1560 PROFORMA FATURA.exe 2552 powershell.exe 2916 powershell.exe 2408 PROFORMA FATURA.exe 2408 PROFORMA FATURA.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PROFORMA FATURA.exepowershell.exepowershell.exePROFORMA FATURA.exedescription pid process Token: SeDebugPrivilege 1560 PROFORMA FATURA.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 2408 PROFORMA FATURA.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PROFORMA FATURA.exepid process 2408 PROFORMA FATURA.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
PROFORMA FATURA.exedescription pid process target process PID 1560 wrote to memory of 2916 1560 PROFORMA FATURA.exe powershell.exe PID 1560 wrote to memory of 2916 1560 PROFORMA FATURA.exe powershell.exe PID 1560 wrote to memory of 2916 1560 PROFORMA FATURA.exe powershell.exe PID 1560 wrote to memory of 2916 1560 PROFORMA FATURA.exe powershell.exe PID 1560 wrote to memory of 2552 1560 PROFORMA FATURA.exe powershell.exe PID 1560 wrote to memory of 2552 1560 PROFORMA FATURA.exe powershell.exe PID 1560 wrote to memory of 2552 1560 PROFORMA FATURA.exe powershell.exe PID 1560 wrote to memory of 2552 1560 PROFORMA FATURA.exe powershell.exe PID 1560 wrote to memory of 2588 1560 PROFORMA FATURA.exe schtasks.exe PID 1560 wrote to memory of 2588 1560 PROFORMA FATURA.exe schtasks.exe PID 1560 wrote to memory of 2588 1560 PROFORMA FATURA.exe schtasks.exe PID 1560 wrote to memory of 2588 1560 PROFORMA FATURA.exe schtasks.exe PID 1560 wrote to memory of 2408 1560 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1560 wrote to memory of 2408 1560 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1560 wrote to memory of 2408 1560 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1560 wrote to memory of 2408 1560 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1560 wrote to memory of 2408 1560 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1560 wrote to memory of 2408 1560 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1560 wrote to memory of 2408 1560 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1560 wrote to memory of 2408 1560 PROFORMA FATURA.exe PROFORMA FATURA.exe PID 1560 wrote to memory of 2408 1560 PROFORMA FATURA.exe PROFORMA FATURA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA FATURA.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA FATURA.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PROFORMA FATURA.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ocsLtLXucVcFxs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ocsLtLXucVcFxs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp981B.tmp"2⤵
- Creates scheduled task(s)
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\PROFORMA FATURA.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA FATURA.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59789d9435961a9b76426dd20baaf47a8
SHA175e5c6b3ba572d93d6732e4af19b4f9c26b21d40
SHA256a0b9f020e0cdf38baabe20d25c32fdb6da090b4eb098ada4da26848cf24c762a
SHA5127466a50a806888828c76dd59cfa7d8b8758758153c09f3a12592efd5af1e0481718bd6e78ce56af73e2d430f40a553137439adc504d18fc199c84921f91b1269
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7HX51JZPFR423OKK086U.temp
Filesize7KB
MD54b93994243c344b7cf4f69219402e566
SHA120466fe29e849fa5c28732ba7b63cdcd5c6e0f8f
SHA256bd4bfee59b8ba1a9e482aae429145719a997cca393913118f49e80b5930d9ba3
SHA512a734d78b3444c145aa4b522c77bf6b20365dfcd7e4bc1b4e1c1a349ed6ff69e9fcc61f8dc5fa6000b9fcac77fc2715ca64dac88851f9fdc49b126c94d172d1c2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD54b93994243c344b7cf4f69219402e566
SHA120466fe29e849fa5c28732ba7b63cdcd5c6e0f8f
SHA256bd4bfee59b8ba1a9e482aae429145719a997cca393913118f49e80b5930d9ba3
SHA512a734d78b3444c145aa4b522c77bf6b20365dfcd7e4bc1b4e1c1a349ed6ff69e9fcc61f8dc5fa6000b9fcac77fc2715ca64dac88851f9fdc49b126c94d172d1c2