Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 12:33
Static task
static1
Behavioral task
behavioral1
Sample
FACTURAS.scr
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
FACTURAS.scr
Resource
win10v2004-20240419-en
General
-
Target
FACTURAS.scr
-
Size
953KB
-
MD5
82846e38a751faa4c2667bea09633a99
-
SHA1
343fea80223ac120af3d760d00d19cb492172432
-
SHA256
343dd11490831bb2aa0e549a8a6d39bbb2303dd2672b5ee0fb77f6514f195094
-
SHA512
e722ac1f09ac7cdac1263e135830a09979ca1abaac1745ca3bb6022b8eef7faa63d7fb00e306e9d7c35dd9e5a32be261ff295fc20a50128e5ad700751fbe64ab
-
SSDEEP
12288:5wglEe171o1+1k155scBRTWgwxPzQkbu3po3kTarV4Kvc2rm1m/NZ9O4uuUk2kx7:onNjkCK3k6XvmIKhJLk7w3B3nEr
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
11035517QWEiop@#$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
FACTURAS.scrdescription pid process target process PID 2912 set thread context of 2852 2912 FACTURAS.scr FACTURAS.scr -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
FACTURAS.scrpid process 2852 FACTURAS.scr 2852 FACTURAS.scr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FACTURAS.scrdescription pid process Token: SeDebugPrivilege 2852 FACTURAS.scr -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
FACTURAS.scrdescription pid process target process PID 2912 wrote to memory of 2852 2912 FACTURAS.scr FACTURAS.scr PID 2912 wrote to memory of 2852 2912 FACTURAS.scr FACTURAS.scr PID 2912 wrote to memory of 2852 2912 FACTURAS.scr FACTURAS.scr PID 2912 wrote to memory of 2852 2912 FACTURAS.scr FACTURAS.scr PID 2912 wrote to memory of 2852 2912 FACTURAS.scr FACTURAS.scr PID 2912 wrote to memory of 2852 2912 FACTURAS.scr FACTURAS.scr PID 2912 wrote to memory of 2852 2912 FACTURAS.scr FACTURAS.scr PID 2912 wrote to memory of 2852 2912 FACTURAS.scr FACTURAS.scr PID 2912 wrote to memory of 2852 2912 FACTURAS.scr FACTURAS.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURAS.scr"C:\Users\Admin\AppData\Local\Temp\FACTURAS.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FACTURAS.scr"C:\Users\Admin\AppData\Local\Temp\FACTURAS.scr"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2852-13-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2852-5-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2852-8-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2852-19-0x0000000000C70000-0x0000000000CB0000-memory.dmpFilesize
256KB
-
memory/2852-7-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2852-6-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2852-11-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2852-15-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2852-18-0x0000000074230000-0x000000007491E000-memory.dmpFilesize
6.9MB
-
memory/2852-17-0x0000000074230000-0x000000007491E000-memory.dmpFilesize
6.9MB
-
memory/2852-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2912-16-0x0000000074230000-0x000000007491E000-memory.dmpFilesize
6.9MB
-
memory/2912-0-0x0000000001120000-0x0000000001214000-memory.dmpFilesize
976KB
-
memory/2912-1-0x0000000074230000-0x000000007491E000-memory.dmpFilesize
6.9MB
-
memory/2912-4-0x00000000002D0000-0x00000000002D8000-memory.dmpFilesize
32KB
-
memory/2912-2-0x0000000000880000-0x00000000008EE000-memory.dmpFilesize
440KB
-
memory/2912-3-0x0000000004CC0000-0x0000000004D00000-memory.dmpFilesize
256KB