Overview

overview

10

Static

static

3

MV TBN CAL...df.exe

windows7-x64

10

MV TBN CAL...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MV TBN CALL PORT FOR LOADING COAL_pdf.exe

  • Size

    641KB

  • MD5

    2546f92a54b6f32407cb0d86c91b330c

  • SHA1

    3b2eeddcae26a3efbb431fc4863e4765ff556392

  • SHA256

    c4152d490edfcc1620c4579bc9e9455b8cb71cb9efecb38140a22385ea95a9ce

  • SHA512

    df3cdd886e0ac5c315e47b352030313d189d51d4d959977421e443cf6fffd02df108319b5b277c202567caa86327803e1aaf9830d89c3bbc8ee7015703f28ea4

  • SSDEEP

    12288:Tbx119VXiwDIgVFyDu7iKXy2pGL3v5GzD1uIOUgQX14JE9xje50VwXH:BD95lGb5GzDL1pg06

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    cash4cars.nz
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    -[([pqM~nGA4

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://cash4cars.nz
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    -[([pqM~nGA4

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MV TBN CALL PORT FOR LOADING COAL_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\MV TBN CALL PORT FOR LOADING COAL_pdf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MV TBN CALL PORT FOR LOADING COAL_pdf.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1856
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dpRbrdOWQX.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:208
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dpRbrdOWQX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB92E.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:264
    • C:\Users\Admin\AppData\Local\Temp\MV TBN CALL PORT FOR LOADING COAL_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\MV TBN CALL PORT FOR LOADING COAL_pdf.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    f1d511af7d1dd993e23542e93b320a68

    SHA1

    1679c7ea56bb2d5292629038bc9e4bfb78048262

    SHA256

    5d1c295a14f8b7904311b005b544a2d03d60eabca8e172361b6d5b0e85dc8c20

    SHA512

    34957920a1aa0f8cb65e8feed8d36caed3d67d1b0d67b59a39c884e34954e9a58d4e814469f5f8e327d914427c4646ebf817814cb34ebb301b6fabb7d8aa9d7d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o5rma1en.fec.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB92E.tmp
    Filesize

    1KB

    MD5

    1af5192e8056ab5d13a6b94d88867aa7

    SHA1

    8f7209a571cb1ada75e510b221bd6493f39b3853

    SHA256

    1503ff0edd8febd0d408b93e45ed15721c2cfd5a154b345f5b6220d8f1bc7213

    SHA512

    2947b08279f0aa2a0a25a1ca9f2549bc0c409d2ae663d59374a30beb3217e3aa4e2506e3d8d19bd9868448efd738d6cca1e4fc8f097a941da48f58e523fab0d3

    Download Submit

  • memory/208-87-0x0000000074D00000-0x00000000754B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/208-47-0x0000000006330000-0x000000000637C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/208-61-0x0000000070260000-0x00000000702AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/208-46-0x0000000005D80000-0x0000000005D9E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/208-19-0x0000000074D00000-0x00000000754B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/208-74-0x0000000007110000-0x000000000711A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/396-5-0x0000000074D00000-0x00000000754B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/396-10-0x0000000009200000-0x000000000929C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/396-9-0x0000000006C40000-0x0000000006CC2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/396-8-0x0000000074D00000-0x00000000754B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/396-7-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/396-6-0x0000000005940000-0x0000000005950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/396-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/396-4-0x0000000005640000-0x000000000564A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/396-3-0x0000000005580000-0x0000000005612000-memory.dmp

    Filesize

    584KB

    Download

  • memory/396-2-0x0000000005C20000-0x00000000061C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/396-1-0x0000000000B00000-0x0000000000BA6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/396-48-0x0000000074D00000-0x00000000754B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1856-73-0x0000000007860000-0x000000000787A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1856-22-0x0000000005DC0000-0x0000000005E26000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1856-15-0x0000000004F80000-0x0000000004FB6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1856-39-0x0000000005FE0000-0x0000000006334000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1856-23-0x0000000074D00000-0x00000000754B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1856-49-0x00000000076B0000-0x00000000076E2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1856-50-0x0000000070260000-0x00000000702AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1856-21-0x0000000005E30000-0x0000000005E96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1856-60-0x00000000076F0000-0x000000000770E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1856-71-0x0000000007720000-0x00000000077C3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1856-72-0x0000000007EA0000-0x000000000851A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1856-20-0x0000000005D90000-0x0000000005DB2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1856-18-0x0000000074D00000-0x00000000754B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1856-75-0x0000000007AE0000-0x0000000007B76000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1856-76-0x0000000007A60000-0x0000000007A71000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1856-77-0x0000000007A90000-0x0000000007A9E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1856-78-0x0000000007AA0000-0x0000000007AB4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1856-79-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1856-80-0x0000000007B80000-0x0000000007B88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1856-17-0x00000000055F0000-0x0000000005C18000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1856-16-0x0000000074D00000-0x00000000754B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1856-86-0x0000000074D00000-0x00000000754B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2416-40-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2416-88-0x0000000006DC0000-0x0000000006E10000-memory.dmp

    Filesize

    320KB

    Download