Analysis Overview
SHA256
d23bfe6129eb1b44c79612e9743c286ee15d5024e61796662c3fb86cf0d27141
Threat Level: Known bad
The file Acal BFi UK - Products List 020240704.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Detect Xworm Payload
StormKitty
StormKitty payload
Xworm
Reads WinSCP keys stored on the system
Executes dropped EXE
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-04 16:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 16:23
Reported
2024-07-04 16:33
Platform
win7-20240508-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704.exe
"C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | admin188.lol | udp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
Files
memory/2080-0-0x000000007482E000-0x000000007482F000-memory.dmp
memory/2080-1-0x0000000000D50000-0x0000000000DAA000-memory.dmp
memory/2080-2-0x0000000074820000-0x0000000074F0E000-memory.dmp
memory/2080-3-0x000000007482E000-0x000000007482F000-memory.dmp
memory/2080-4-0x0000000074820000-0x0000000074F0E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 16:23
Reported
2024-07-04 16:33
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
AgentTesla
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pbcfne.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jefyla.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2644 set thread context of 2160 | N/A | C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pbcfne.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pbcfne.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jefyla.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\pbcfne.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704.exe
"C:\Users\Admin\AppData\Local\Temp\Acal BFi UK - Products List 020240704.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Users\Admin\AppData\Local\Temp\pbcfne.exe
"C:\Users\Admin\AppData\Local\Temp\pbcfne.exe"
C:\Users\Admin\AppData\Local\Temp\jefyla.exe
"C:\Users\Admin\AppData\Local\Temp\jefyla.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | admin188.lol | udp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| US | 8.8.8.8:53 | 56.132.29.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| N/A | 127.0.0.1:2005 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| NL | 79.110.62.113:2005 | tcp | |
| N/A | 127.0.0.1:2005 | tcp | |
| NL | 79.110.62.113:2005 | tcp | |
| US | 8.8.8.8:53 | 113.62.110.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | admin188.lol | udp |
| US | 66.29.132.56:443 | admin188.lol | tcp |
| NL | 79.110.62.113:2005 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/2644-0-0x000000007476E000-0x000000007476F000-memory.dmp
memory/2644-1-0x0000000000F30000-0x0000000000F8A000-memory.dmp
memory/2644-2-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/2644-3-0x0000000006AB0000-0x0000000006CCC000-memory.dmp
memory/2644-4-0x0000000007280000-0x0000000007824000-memory.dmp
memory/2644-5-0x0000000006E90000-0x0000000006F22000-memory.dmp
memory/2644-11-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-6-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-7-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-21-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-19-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-17-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-15-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-13-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-9-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-27-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-31-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-53-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-51-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-63-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-69-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-67-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-65-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-61-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-59-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-57-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-55-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-49-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-47-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-45-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-43-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-41-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-39-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-37-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-35-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-33-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-29-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-25-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-24-0x0000000006AB0000-0x0000000006CC6000-memory.dmp
memory/2644-4868-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/2644-4870-0x0000000006190000-0x00000000061DC000-memory.dmp
memory/2644-4869-0x0000000006090000-0x00000000060EC000-memory.dmp
memory/2644-4871-0x0000000006570000-0x00000000065D6000-memory.dmp
memory/2644-4872-0x000000007476E000-0x000000007476F000-memory.dmp
memory/2644-4873-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/2644-4874-0x0000000006250000-0x00000000062A4000-memory.dmp
memory/2644-4877-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/2160-4878-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/2160-4879-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2160-4880-0x0000000005060000-0x00000000050FC000-memory.dmp
memory/2160-4881-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/2160-4882-0x0000000074760000-0x0000000074F10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pbcfne.exe
| MD5 | 55cce50a83c495cfe0a033eaf60fb73b |
| SHA1 | ac044239c45bd034c9626d5d0a0d82fbd9238d5e |
| SHA256 | a5a51adba79a0d0c6445afe1f662101e62587cecded313e5f4d9a4f34ad55bef |
| SHA512 | ccc1234f1fdfab9be2d7ccf1d00115bd19f47901cb522bc40d5ec281f48b195520eab6bacb512a5bc56c1a40b90f3edffb0feed21217cd5754757cc5f71e759f |
C:\Users\Admin\AppData\Local\Temp\jefyla.exe
| MD5 | c521f9ec880f40cbed0f29d9d063a524 |
| SHA1 | bb475bac8e550286b69e843ce7f870f1c8450d7e |
| SHA256 | 129f373f4eb5e2ab2642846ec17971a4f73ee3cc4fb96e0a1dc80f60ec8ea552 |
| SHA512 | 7182723a297234311c3a6194c0ff2d3756c3437e5e90753ae241e0b56f8be939cc87998fa9fd36b50a2fb64d67c88ae17c9bf1f3433c139ffe724674773506cb |
memory/2160-4904-0x0000000006050000-0x0000000006170000-memory.dmp
memory/2176-4908-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/4724-4907-0x0000000000990000-0x000000000099A000-memory.dmp
memory/2176-4906-0x00000000007E0000-0x0000000000822000-memory.dmp
memory/2160-4909-0x0000000007380000-0x00000000076D4000-memory.dmp
memory/2160-4910-0x0000000006340000-0x000000000638C000-memory.dmp
memory/2160-4949-0x0000000007140000-0x0000000007162000-memory.dmp
memory/2176-4950-0x00000000068B0000-0x0000000006900000-memory.dmp