Analysis
-
max time kernel
118s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 16:35
Static task
static1
Behavioral task
behavioral1
Sample
Fatura nº 4052804664.scr
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Fatura nº 4052804664.scr
Resource
win10v2004-20240802-en
General
-
Target
Fatura nº 4052804664.scr
-
Size
693KB
-
MD5
a0de9f804b692969d93ba2a8011f73a4
-
SHA1
247b67ca3f7d4f1017a537abb96384136936b78b
-
SHA256
cc58af4374174d975a7fc1abc5f43a0f537da1482334b95631ea9d5668db7304
-
SHA512
7dca8968d20f3159c75a5b6effb67456a30309f4652e9b45fa577ef19fe23a6532aa69532f4c28ae819be0da3a455b44971836fce7a041ffd143904c13cbbce9
-
SSDEEP
12288:nS993Hgi8MefNnUlSAgsWYTfxCIpIj4LcGPhGgXHXelLEAmD:qTmM77lTfxC/GpGgA
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5187914704:AAHhM5YfeLYR_Ow0fgwMOZKO7je7btbh5DA/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fatura nº 4052804664.scr Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fatura nº 4052804664.scr Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fatura nº 4052804664.scr -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PMoZbw = "C:\\Users\\Admin\\AppData\\Roaming\\PMoZbw\\PMoZbw.exe" Fatura nº 4052804664.scr -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 api.ipify.org 21 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3956 set thread context of 1620 3956 Fatura nº 4052804664.scr 93 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fatura nº 4052804664.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fatura nº 4052804664.scr -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1620 Fatura nº 4052804664.scr 1620 Fatura nº 4052804664.scr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1620 Fatura nº 4052804664.scr -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1620 Fatura nº 4052804664.scr -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3956 wrote to memory of 1620 3956 Fatura nº 4052804664.scr 93 PID 3956 wrote to memory of 1620 3956 Fatura nº 4052804664.scr 93 PID 3956 wrote to memory of 1620 3956 Fatura nº 4052804664.scr 93 PID 3956 wrote to memory of 1620 3956 Fatura nº 4052804664.scr 93 PID 3956 wrote to memory of 1620 3956 Fatura nº 4052804664.scr 93 PID 3956 wrote to memory of 1620 3956 Fatura nº 4052804664.scr 93 PID 3956 wrote to memory of 1620 3956 Fatura nº 4052804664.scr 93 PID 3956 wrote to memory of 1620 3956 Fatura nº 4052804664.scr 93 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fatura nº 4052804664.scr -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fatura nº 4052804664.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fatura nº 4052804664.scr"C:\Users\Admin\AppData\Local\Temp\Fatura nº 4052804664.scr" /S1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\Fatura nº 4052804664.scr"C:\Users\Admin\AppData\Local\Temp\Fatura nº 4052804664.scr"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1620
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1