Analysis
-
max time kernel
136s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2025, 07:23
Static task
static1
General
-
Target
DHL Shipping document.pdf.exe
-
Size
721KB
-
MD5
dd018828a03f411be17a3ee8bd760760
-
SHA1
73cdc437b52108af3225d28b67547435bf2451f3
-
SHA256
c2df3d7537c43e85dfb395dd000d8c6f887ce891b9f05202406c44202823b586
-
SHA512
485c8c0804561cc19fde2dbe35072544489f71adeb261c023bbb965dbce34f4854741ed4349ec0ae2577873b0b7977f9c43d824cb4a9e80e322a7e035d7209cc
-
SSDEEP
12288:h+iuMeG1U3eIw/oYKZNPf2kZig2V+rk9x67pbl2fkRzINLVJXNkxFaD:LgT2KZN32r3V+cx6NvRz0LVJNkx
Malware Config
Extracted
Protocol: smtp- Host:
mail.chinaplasticsac.com - Port:
587 - Username:
[email protected] - Password:
Zn3P4W{=XF2b
Extracted
agenttesla
Protocol: smtp- Host:
mail.chinaplasticsac.com - Port:
587 - Username:
[email protected] - Password:
Zn3P4W{=XF2b - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 212 set thread context of 4856 212 DHL Shipping document.pdf.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHL Shipping document.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHL Shipping document.pdf.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4856 DHL Shipping document.pdf.exe 212 DHL Shipping document.pdf.exe 2024 DHL Shipping document.pdf.exe 5864 DHL Shipping document.pdf.exe 2256 DHL Shipping document.pdf.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 212 DHL Shipping document.pdf.exe 212 DHL Shipping document.pdf.exe 212 DHL Shipping document.pdf.exe 212 DHL Shipping document.pdf.exe 212 DHL Shipping document.pdf.exe 212 DHL Shipping document.pdf.exe 4856 DHL Shipping document.pdf.exe 4856 DHL Shipping document.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 212 DHL Shipping document.pdf.exe Token: SeDebugPrivilege 4856 DHL Shipping document.pdf.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 212 wrote to memory of 2024 212 DHL Shipping document.pdf.exe 96 PID 212 wrote to memory of 2024 212 DHL Shipping document.pdf.exe 96 PID 212 wrote to memory of 2024 212 DHL Shipping document.pdf.exe 96 PID 212 wrote to memory of 5864 212 DHL Shipping document.pdf.exe 97 PID 212 wrote to memory of 5864 212 DHL Shipping document.pdf.exe 97 PID 212 wrote to memory of 5864 212 DHL Shipping document.pdf.exe 97 PID 212 wrote to memory of 2256 212 DHL Shipping document.pdf.exe 98 PID 212 wrote to memory of 2256 212 DHL Shipping document.pdf.exe 98 PID 212 wrote to memory of 2256 212 DHL Shipping document.pdf.exe 98 PID 212 wrote to memory of 4856 212 DHL Shipping document.pdf.exe 99 PID 212 wrote to memory of 4856 212 DHL Shipping document.pdf.exe 99 PID 212 wrote to memory of 4856 212 DHL Shipping document.pdf.exe 99 PID 212 wrote to memory of 4856 212 DHL Shipping document.pdf.exe 99 PID 212 wrote to memory of 4856 212 DHL Shipping document.pdf.exe 99 PID 212 wrote to memory of 4856 212 DHL Shipping document.pdf.exe 99 PID 212 wrote to memory of 4856 212 DHL Shipping document.pdf.exe 99 PID 212 wrote to memory of 4856 212 DHL Shipping document.pdf.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping document.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping document.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\DHL Shipping document.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping document.pdf.exe"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping document.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping document.pdf.exe"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5864
-
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping document.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping document.pdf.exe"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2256
-
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping document.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping document.pdf.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3