Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
ASCD0001 INQ9829......pdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ASCD0001 INQ9829......pdf.exe
Resource
win10v2004-20240508-en
General
-
Target
ASCD0001 INQ9829......pdf.exe
-
Size
840KB
-
MD5
57b1ad0359c449cd533a34db4fc81a9d
-
SHA1
a28948d8b7456cc3e3ac2aaf244bbc35cee76b85
-
SHA256
fcb012805679bb99ffeb9f535f06e1c5940b53d773f527e3a9aef5371540a199
-
SHA512
40c1a56b489b94313093abda622cdb1e1d295ba867666a667a1160f4a2a47616000189cc31caa833e9d01a32aef0f57b3d7cb6bfc05e27b74ac7f6c0455a930b
-
SSDEEP
24576:Qw4bjw4bDmrejmh1ezUjX/sCDQzPcbgV7:Qw4bjw4bDljtUjPsCDQgbw
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.hsbv1.nl - Port:
587 - Username:
[email protected] - Password:
xdDPyH(8 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ASCD0001 INQ9829......pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ASCD0001 INQ9829......pdf.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ASCD0001 INQ9829......pdf.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ASCD0001 INQ9829......pdf.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 api.ipify.org 34 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ASCD0001 INQ9829......pdf.exedescription pid process target process PID 5112 set thread context of 2508 5112 ASCD0001 INQ9829......pdf.exe ASCD0001 INQ9829......pdf.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
ASCD0001 INQ9829......pdf.exeASCD0001 INQ9829......pdf.exepid process 5112 ASCD0001 INQ9829......pdf.exe 5112 ASCD0001 INQ9829......pdf.exe 5112 ASCD0001 INQ9829......pdf.exe 5112 ASCD0001 INQ9829......pdf.exe 5112 ASCD0001 INQ9829......pdf.exe 5112 ASCD0001 INQ9829......pdf.exe 5112 ASCD0001 INQ9829......pdf.exe 5112 ASCD0001 INQ9829......pdf.exe 5112 ASCD0001 INQ9829......pdf.exe 2508 ASCD0001 INQ9829......pdf.exe 2508 ASCD0001 INQ9829......pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ASCD0001 INQ9829......pdf.exeASCD0001 INQ9829......pdf.exedescription pid process Token: SeDebugPrivilege 5112 ASCD0001 INQ9829......pdf.exe Token: SeDebugPrivilege 2508 ASCD0001 INQ9829......pdf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ASCD0001 INQ9829......pdf.exedescription pid process target process PID 5112 wrote to memory of 2508 5112 ASCD0001 INQ9829......pdf.exe ASCD0001 INQ9829......pdf.exe PID 5112 wrote to memory of 2508 5112 ASCD0001 INQ9829......pdf.exe ASCD0001 INQ9829......pdf.exe PID 5112 wrote to memory of 2508 5112 ASCD0001 INQ9829......pdf.exe ASCD0001 INQ9829......pdf.exe PID 5112 wrote to memory of 2508 5112 ASCD0001 INQ9829......pdf.exe ASCD0001 INQ9829......pdf.exe PID 5112 wrote to memory of 2508 5112 ASCD0001 INQ9829......pdf.exe ASCD0001 INQ9829......pdf.exe PID 5112 wrote to memory of 2508 5112 ASCD0001 INQ9829......pdf.exe ASCD0001 INQ9829......pdf.exe PID 5112 wrote to memory of 2508 5112 ASCD0001 INQ9829......pdf.exe ASCD0001 INQ9829......pdf.exe PID 5112 wrote to memory of 2508 5112 ASCD0001 INQ9829......pdf.exe ASCD0001 INQ9829......pdf.exe -
outlook_office_path 1 IoCs
Processes:
ASCD0001 INQ9829......pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ASCD0001 INQ9829......pdf.exe -
outlook_win_path 1 IoCs
Processes:
ASCD0001 INQ9829......pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ASCD0001 INQ9829......pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ASCD0001 INQ9829......pdf.exe"C:\Users\Admin\AppData\Local\Temp\ASCD0001 INQ9829......pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\ASCD0001 INQ9829......pdf.exe"C:\Users\Admin\AppData\Local\Temp\ASCD0001 INQ9829......pdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3