Analysis

  • max time kernel
    139s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2023 16:50

General

  • Target

    Halkbank_Ekstre_20191102_073809_405251-PDF.exe

  • Size

    988KB

  • MD5

    0f93c17cac1c2dd8b332bf2d53aa2f8c

  • SHA1

    8848bf63c85f1743d63d458819ab4632f80b4cc9

  • SHA256

    4b01f24d97fef59510e2a99a4d75d48f7dbe8445e5fe05a3602fb7a12094ade9

  • SHA512

    b1b7968abe71cdf12c1aa3bed07fdde8282126faf2bd1386c8fccc0bfdc3ae39b10d94155a96770bc72dee60d6265ce45a8211e4624b3e25c1e08bc7794a2c89

  • SSDEEP

    12288:o6UYBXALb35v+g4IwbmB1fRcmjMx7jghB/8SBJxVtQD2b62SgM5DqanwP7r9r/+l:1SbIPIhbNM1sh9BR1q

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.rolexlogisticsservice.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    0.p-TydLJ-3Z

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe"
      2⤵
        PID:1760
      • C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe"
        2⤵
          PID:4748
        • C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe
          "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:5012

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank_Ekstre_20191102_073809_405251-PDF.exe.log

        Filesize

        1KB

        MD5

        8ec831f3e3a3f77e4a7b9cd32b48384c

        SHA1

        d83f09fd87c5bd86e045873c231c14836e76a05c

        SHA256

        7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

        SHA512

        26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

      • memory/1436-10-0x0000000006BE0000-0x0000000006C7C000-memory.dmp

        Filesize

        624KB

      • memory/1436-14-0x00000000750F0000-0x00000000758A0000-memory.dmp

        Filesize

        7.7MB

      • memory/1436-9-0x00000000092A0000-0x000000000931E000-memory.dmp

        Filesize

        504KB

      • memory/1436-4-0x0000000008010000-0x0000000008020000-memory.dmp

        Filesize

        64KB

      • memory/1436-5-0x0000000007DD0000-0x0000000007DDA000-memory.dmp

        Filesize

        40KB

      • memory/1436-6-0x00000000053B0000-0x00000000053CA000-memory.dmp

        Filesize

        104KB

      • memory/1436-7-0x0000000005400000-0x0000000005408000-memory.dmp

        Filesize

        32KB

      • memory/1436-8-0x0000000005420000-0x000000000542A000-memory.dmp

        Filesize

        40KB

      • memory/1436-3-0x0000000007E30000-0x0000000007EC2000-memory.dmp

        Filesize

        584KB

      • memory/1436-2-0x0000000008340000-0x00000000088E4000-memory.dmp

        Filesize

        5.6MB

      • memory/1436-0-0x0000000000E50000-0x0000000000F4C000-memory.dmp

        Filesize

        1008KB

      • memory/1436-1-0x00000000750F0000-0x00000000758A0000-memory.dmp

        Filesize

        7.7MB

      • memory/5012-20-0x00000000053D0000-0x00000000053E0000-memory.dmp

        Filesize

        64KB

      • memory/5012-15-0x00000000750F0000-0x00000000758A0000-memory.dmp

        Filesize

        7.7MB

      • memory/5012-16-0x00000000053D0000-0x00000000053E0000-memory.dmp

        Filesize

        64KB

      • memory/5012-17-0x00000000053E0000-0x0000000005446000-memory.dmp

        Filesize

        408KB

      • memory/5012-18-0x0000000006BB0000-0x0000000006C00000-memory.dmp

        Filesize

        320KB

      • memory/5012-19-0x00000000750F0000-0x00000000758A0000-memory.dmp

        Filesize

        7.7MB

      • memory/5012-11-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB