Overview

overview

10

Static

static

1

Consignmen...11.exe

windows7-x64

10

Consignmen...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/04/2023, 06:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Consignment Notification-  6183111.exe

  • Size

    309KB

  • MD5

    3bbcf22f8cdda7ffe88e218e93640225

  • SHA1

    5faa9c42495a16dc9f431b2ea133b3db3b278b8a

  • SHA256

    177bd7025804e5d3e84f7c864cd0049493297382a476d769c8979d4f3b56fc28

  • SHA512

    d929809655006f91f91a058f54b5d624bbe235462928b79c2277adca8422bfe91247c4451055b61655ca39584b761490751024c72ddb537095e1600e4c7730b9

  • SSDEEP

    6144:vYa6cwmkIYQMcUEqfcdZdEu3wylA4IfdSth3/qHTWriB/joI1GParhR:vYCSIYQzaOU4GSz/qHTWri1jVGy3

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Consignment Notification-  6183111.exe
    "C:\Users\Admin\AppData\Local\Temp\Consignment Notification-  6183111.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Users\Admin\AppData\Local\Temp\rgmkcdirw.exe
      "C:\Users\Admin\AppData\Local\Temp\rgmkcdirw.exe" C:\Users\Admin\AppData\Local\Temp\vbulyruqa.a
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Users\Admin\AppData\Local\Temp\rgmkcdirw.exe
        "C:\Users\Admin\AppData\Local\Temp\rgmkcdirw.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3616

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\eufsui.gq
          Filesize

          263KB

          MD5

          fc7cc504fef9da3af8c8062aca624b1b

          SHA1

          8665c4b7ed0194e330e733595811b6567b1a2ce4

          SHA256

          4f9e44b0042633a9313d48c0697e03e54e856c760b3919a25d6ab8160d5d182f

          SHA512

          f903519fd4e44ffc30e8e912a622ae2bdb03085151c82bd642f98c56433815818a0036317259147ff0b560c87e5b982d5a0df9384ab7845dc33fce1019829a94

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rgmkcdirw.exe
          Filesize

          94KB

          MD5

          fd6c355b64052d7e9b9f7ad59f2cdf2b

          SHA1

          73daa27878b7bbb38484851e5e885dcc6cd59e55

          SHA256

          c266477af0e1f86d0cf5700730033ae3896d325d5c7a74a81a2f4a34f3e59fbd

          SHA512

          608f39cc52c9fcf088f3dde2cba33e64e76273233730dfe78281e8f284cba913f5cbb875a90d5c2b9f44689e81e945bb838c534cdfd37f61bc61bc4dd8fb3e63

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rgmkcdirw.exe
          Filesize

          94KB

          MD5

          fd6c355b64052d7e9b9f7ad59f2cdf2b

          SHA1

          73daa27878b7bbb38484851e5e885dcc6cd59e55

          SHA256

          c266477af0e1f86d0cf5700730033ae3896d325d5c7a74a81a2f4a34f3e59fbd

          SHA512

          608f39cc52c9fcf088f3dde2cba33e64e76273233730dfe78281e8f284cba913f5cbb875a90d5c2b9f44689e81e945bb838c534cdfd37f61bc61bc4dd8fb3e63

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rgmkcdirw.exe
          Filesize

          94KB

          MD5

          fd6c355b64052d7e9b9f7ad59f2cdf2b

          SHA1

          73daa27878b7bbb38484851e5e885dcc6cd59e55

          SHA256

          c266477af0e1f86d0cf5700730033ae3896d325d5c7a74a81a2f4a34f3e59fbd

          SHA512

          608f39cc52c9fcf088f3dde2cba33e64e76273233730dfe78281e8f284cba913f5cbb875a90d5c2b9f44689e81e945bb838c534cdfd37f61bc61bc4dd8fb3e63

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\vbulyruqa.a
          Filesize

          7KB

          MD5

          873790bf3aecaee5184c784d75d76a19

          SHA1

          646790e850da5b2b738200106319e300a930a0d4

          SHA256

          ab20fb03d855d9a0b2ca3a82d35324f43178a1e7d3c7f72762cbba26bcc1bd20

          SHA512

          acbe6f4f7bef378542a7ef7ec7ab95898caf7aafeb1d88e9a4d467b59ab8bb76af44f858cba79eb1497cecb119886efa73ef7180099e864b6c831401283f371f

          Download Submit

        • memory/2708-142-0x0000000000510000-0x0000000000512000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3616-151-0x00000000058A0000-0x00000000058B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3616-154-0x00000000058A0000-0x00000000058B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3616-147-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/3616-148-0x0000000005E60000-0x0000000006404000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3616-149-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/3616-150-0x00000000058A0000-0x00000000058B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3616-143-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/3616-152-0x00000000058A0000-0x00000000058B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3616-153-0x0000000005920000-0x0000000005986000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3616-145-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/3616-155-0x0000000006F40000-0x0000000006FD2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3616-156-0x0000000006F20000-0x0000000006F2A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3616-157-0x0000000007160000-0x00000000071B0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3616-158-0x0000000007390000-0x0000000007552000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3616-159-0x00000000058A0000-0x00000000058B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3616-160-0x00000000058A0000-0x00000000058B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3616-161-0x00000000058A0000-0x00000000058B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3616-162-0x00000000058A0000-0x00000000058B0000-memory.dmp

          Filesize

          64KB

          Download