Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 01:03
Static task
static1
Behavioral task
behavioral1
Sample
Ldnot.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Ldnot.exe
Resource
win10v2004-20231127-en
General
-
Target
Ldnot.exe
-
Size
428KB
-
MD5
9ab42dab7f35c8d542ad44e9e6c0f0ca
-
SHA1
a6f0aa4fd5141c92cb506a77b1c3604c7a60d608
-
SHA256
2cdcc1d29030507ba28587a131f8b98b8c2ae4834524b5e1b584937ce0527ef6
-
SHA512
fe7ca1ace6cbd1a410fc96d3f92e19a53f0d7b46cfe458ab076b2fd59704e7a1d72833526a78b1c5a469e961f5735b8874c00fdaf11fa097a8e99db55f5661d8
-
SSDEEP
6144:Q7XEhgANGThYl152Jnu9u95ik0uZWRQ6uX7Ee/AnBDxq6Tlv2222+v8WEjeNplzQ:thgANZl1SuMLikaI7TIxq6c
Malware Config
Extracted
Protocol: smtp- Host:
meka.ldc.lv - Port:
587 - Username:
[email protected] - Password:
DJj8Mza7MM
Extracted
agenttesla
Protocol: smtp- Host:
meka.ldc.lv - Port:
587 - Username:
[email protected] - Password:
DJj8Mza7MM - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 47 api.ipify.org 48 api.ipify.org 49 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ldnot.exedescription pid process target process PID 3856 set thread context of 2036 3856 Ldnot.exe Ldnot.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Ldnot.exeLdnot.exepid process 3856 Ldnot.exe 2036 Ldnot.exe 2036 Ldnot.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Ldnot.exeLdnot.exedescription pid process Token: SeDebugPrivilege 3856 Ldnot.exe Token: SeDebugPrivilege 2036 Ldnot.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Ldnot.exepid process 2036 Ldnot.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Ldnot.exedescription pid process target process PID 3856 wrote to memory of 2036 3856 Ldnot.exe Ldnot.exe PID 3856 wrote to memory of 2036 3856 Ldnot.exe Ldnot.exe PID 3856 wrote to memory of 2036 3856 Ldnot.exe Ldnot.exe PID 3856 wrote to memory of 2036 3856 Ldnot.exe Ldnot.exe PID 3856 wrote to memory of 2036 3856 Ldnot.exe Ldnot.exe PID 3856 wrote to memory of 2036 3856 Ldnot.exe Ldnot.exe PID 3856 wrote to memory of 2036 3856 Ldnot.exe Ldnot.exe PID 3856 wrote to memory of 2036 3856 Ldnot.exe Ldnot.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ldnot.exe"C:\Users\Admin\AppData\Local\Temp\Ldnot.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\Ldnot.exeC:\Users\Admin\AppData\Local\Temp\Ldnot.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD591196427e754ee46b2637907ca8ec235
SHA1e1be3b8c2e0fb94fe8720f67dfe45a730dd490bf
SHA256e9767213766f8f92bfed750d887db37351d3e39733ffe4f656ddedcafb1f8f91
SHA51288c519c7fba1c0044d07e23ef8ae443cb1367a202b7456b6e7416d4fbf022af6cbd5069c5a633dde36c210511cc915e027442eb4648726474e8e0e447eb7989a