Overview

overview

10

Static

static

3

Proforma I...df.exe

windows7-x64

10

Proforma I...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/02/2025, 01:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Proforma Invoice.pdf.exe

  • Size

    1.5MB

  • MD5

    1faddd5b9d93e407e103e3065f1ed07f

  • SHA1

    31b14aa6cb25239e8087e07af03178e446a50f97

  • SHA256

    034cf32f26c06977510bb01c37167b100e949f88ba0073fd603d3cc909c9e3a3

  • SHA512

    b0f419d3b558d49707f89897c426238a60ae02385176e4dd7fb9629c2471c75ca23692334d3e1e2e5ba30674dbb46d657d7acbf7f79a68569a69ed7a38d227b3

  • SSDEEP

    24576:5AOcZAZwsp2RE/lPpVDcOOxYp2aGAuvZG31RMaas/xZvihMhi9+zOgQVUWT5:zSsZiipFQA3XM9oUsi9LPT5

Score
10/10
agentteslablustealercollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5422204482:AAEu-I3AZCMcCehYPkAHAbI6qEwhd1OKxpk/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Blustealer family
    blustealer
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.pdf.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Users\Admin\AppData\Roaming\5_54\DL NETIVE BOTNET LOGS.exe
      "C:\Users\Admin\AppData\Roaming\5_54\DL NETIVE BOTNET LOGS.exe" A Pakistan International Airlines passenger aircraft (pictured)
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        PID:1632
    • C:\Users\Admin\AppData\Roaming\5_54\ffxusf.pif
      "C:\Users\Admin\AppData\Roaming\5_54\ffxusf.pif" kppvhvxa.gnl
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\5_54\atfkltnsgp.msc
    Filesize

    49KB

    MD5

    e5f855ae4f688c1a1555664d3d00f4e5

    SHA1

    666a3af218c44d7ded9726cb13b98362e2dbddc5

    SHA256

    5b2eaee4169be6652f2e0df372b420612b302f6514a4db0633661a0bb172336f

    SHA512

    6e09b04bd11fbfb22a24a6c08ddd38b8b18c4a69ceccaad7d767251319f32e8c422977a79ba14dc7c04a4f31e047560403611c9699b05985c87c875fc43a43ff

    Download Submit

  • C:\Users\Admin\AppData\Roaming\5_54\ttdbkhiquu.kud
    Filesize

    419KB

    MD5

    884d858f9d00db8a9a9364a2dc3b6b63

    SHA1

    1c07cd370d022b168679fb92ec6b138c862f4ed4

    SHA256

    34859dc0d250dd2e7f6b222265967ac90bf33ea7719612923aab46a2bf7466c2

    SHA512

    cf50c264ad46923ae2ab66df775cff74e14160617bc688da5d88f1f970542d59f10adaf739bf0f31dde7a8bf7def9807bf837a8405265ab84ca3c32036e19f84

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

    Download Submit

  • \Users\Admin\AppData\Roaming\5_54\DL NETIVE BOTNET LOGS.exe
    Filesize

    440KB

    MD5

    61f35c53811bb66d62effc5a53de458f

    SHA1

    e4507c6a3d5c3d01f19c487366044febb126ca70

    SHA256

    833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1

    SHA512

    5148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384

    Download Submit

  • \Users\Admin\AppData\Roaming\5_54\ffxusf.pif
    Filesize

    794KB

    MD5

    18e404787e9c044105f5c4bec4600bd8

    SHA1

    9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

    SHA256

    e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

    SHA512

    c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

    Download Submit

  • memory/1632-173-0x0000000000D70000-0x0000000000E2C000-memory.dmp

    Filesize

    752KB

    Download

  • memory/1632-172-0x0000000000130000-0x0000000000196000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1632-171-0x0000000000130000-0x0000000000196000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1632-169-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1632-170-0x0000000000130000-0x0000000000196000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1632-168-0x0000000000130000-0x0000000000196000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2656-179-0x0000000000270000-0x00000000008EA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2656-184-0x0000000000270000-0x00000000008EA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2656-182-0x0000000000270000-0x00000000008EA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2656-181-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2656-187-0x0000000000270000-0x00000000002AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2656-185-0x0000000000270000-0x00000000008EA000-memory.dmp

    Filesize

    6.5MB

    Download