Overview

overview

10

Static

static

3

factura pendiente.exe

windows7-x64

10

factura pendiente.exe

windows10-2004-x64

10

Resubmissions

12-12-2023 13:30

231212-qrs2qadfdl 10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2023 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    factura pendiente.exe

  • Size

    619KB

  • MD5

    92e8f31ae6f6d570c7e3966ca0a5ac73

  • SHA1

    4677caeebb7a443741ca411e528eae015f988de1

  • SHA256

    97cc97fc2f2d929d2e89c4700899980964d12f30a11152059e1e1faf93b21aa7

  • SHA512

    94b31f99f90214e397367a2fe570ddb05f0ca6cee4badd89d480b4e084ec2c69429737becb1abb9a5849feb7d81704115e254255f3ccc7ae2b8a7f25d7625de0

  • SSDEEP

    12288:83IU8S6eUdni/24/AIG82dIStnBpYVVEPO90IsVRVU71pEMccX4mJt6B:aItSAdnie4/A7ddoVyPOmzV7YeMeGQB

Score
10/10
agentteslazgratkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6381414841:AAFH0klFN21XG8PsAP5mFZBYcjb663pXP0E/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\factura pendiente.exe
    "C:\Users\Admin\AppData\Local\Temp\factura pendiente.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4628-0-0x0000000000450000-0x00000000004F2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4628-1-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4628-2-0x00000000053D0000-0x0000000005974000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4628-3-0x0000000004EC0000-0x0000000004F52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4628-4-0x0000000004E50000-0x0000000004E60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4628-5-0x0000000005050000-0x000000000505A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4628-6-0x0000000005390000-0x00000000053A8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4628-7-0x00000000053C0000-0x00000000053C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4628-8-0x0000000006320000-0x000000000632A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4628-9-0x00000000048D0000-0x000000000494C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4628-10-0x0000000007590000-0x000000000762C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4628-11-0x00000000074F0000-0x0000000007532000-memory.dmp

    Filesize

    264KB

    Download

  • memory/4628-12-0x0000000006560000-0x00000000065C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4628-13-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4628-14-0x0000000004E50000-0x0000000004E60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4628-15-0x00000000073D0000-0x0000000007420000-memory.dmp

    Filesize

    320KB

    Download