Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 08:43
Static task
static1
Behavioral task
behavioral1
Sample
SUNKING_RFQ C_03 -- Mandy_设备清单_pdf .exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SUNKING_RFQ C_03 -- Mandy_设备清单_pdf .exe
Resource
win10v2004-20231215-en
General
-
Target
SUNKING_RFQ C_03 -- Mandy_设备清单_pdf .exe
-
Size
793KB
-
MD5
d9f7cda96bb0c223037d2f3a551f9d63
-
SHA1
c0788e500a4eb1699de1c2e35d5df3649fd7cd04
-
SHA256
1c8ba43162bb2f24de0bb3f1ff0270d421a0bada0e5b70b1ef6cdeb1747c2888
-
SHA512
d6c96a8fd9bd1ce2f8ef08c8f3ab455e94e3feaccc9d69aec43d9462d13463901e8906c3343c8292020b103d52c50dc54c63bdf3f3ab5b2c909b7991a779b670
-
SSDEEP
12288:BNCird53rD22qLoPRRVJ2nR9XPRJ3iFf2CW6dat1MJ/8A03eS4E4g2END:B4i3rDI4ARnJQf2CXaXKHsH4ExB
Malware Config
Extracted
Protocol: smtp- Host:
mail.mediatrend.it - Port:
587 - Username:
[email protected] - Password:
yYnR5QNj
Extracted
agenttesla
Protocol: smtp- Host:
mail.mediatrend.it - Port:
587 - Username:
[email protected] - Password:
yYnR5QNj - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 api.ipify.org 36 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SUNKING_RFQ C_03 -- Mandy_设备清单_pdf .exepid process 2952 SUNKING_RFQ C_03 -- Mandy_设备清单_pdf .exe 2952 SUNKING_RFQ C_03 -- Mandy_设备清单_pdf .exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SUNKING_RFQ C_03 -- Mandy_设备清单_pdf .exedescription pid process Token: SeDebugPrivilege 2952 SUNKING_RFQ C_03 -- Mandy_设备清单_pdf .exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2952-0-0x0000000000E10000-0x0000000000EDC000-memory.dmpFilesize
816KB
-
memory/2952-1-0x0000000075030000-0x00000000757E0000-memory.dmpFilesize
7.7MB
-
memory/2952-2-0x0000000005E90000-0x0000000006434000-memory.dmpFilesize
5.6MB
-
memory/2952-3-0x00000000058E0000-0x0000000005972000-memory.dmpFilesize
584KB
-
memory/2952-4-0x0000000005AC0000-0x0000000005AD0000-memory.dmpFilesize
64KB
-
memory/2952-5-0x0000000005A70000-0x0000000005A7A000-memory.dmpFilesize
40KB
-
memory/2952-6-0x0000000005B70000-0x0000000005C0C000-memory.dmpFilesize
624KB
-
memory/2952-7-0x0000000006FB0000-0x0000000006FCC000-memory.dmpFilesize
112KB
-
memory/2952-8-0x0000000006FD0000-0x0000000006FDE000-memory.dmpFilesize
56KB
-
memory/2952-9-0x0000000006FE0000-0x0000000006FF4000-memory.dmpFilesize
80KB
-
memory/2952-10-0x0000000007320000-0x00000000073A2000-memory.dmpFilesize
520KB
-
memory/2952-11-0x0000000075030000-0x00000000757E0000-memory.dmpFilesize
7.7MB
-
memory/2952-12-0x0000000005AC0000-0x0000000005AD0000-memory.dmpFilesize
64KB
-
memory/2952-13-0x00000000073A0000-0x00000000073E0000-memory.dmpFilesize
256KB
-
memory/2952-14-0x0000000009BE0000-0x0000000009C46000-memory.dmpFilesize
408KB
-
memory/2952-15-0x00000000074E0000-0x0000000007530000-memory.dmpFilesize
320KB