Analysis
-
max time kernel
121s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 02:41
Static task
static1
Behavioral task
behavioral1
Sample
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
Resource
win10v2004-20240226-en
General
-
Target
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
-
Size
1.1MB
-
MD5
94176afdf3dfa9f3d145cedbc0128c70
-
SHA1
156be08e77a37f3faa48ca039e27b555429005b1
-
SHA256
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06
-
SHA512
79c624293a58a220f2e8157abfbdfcb233bc484f967f1c3dc18ef20ff9673cb82cb76098123c4305cbacf37892ca822df920402a4e07451b9fd71ff50d9a6c1e
-
SSDEEP
24576:yqDEvCTbMWu7rQYlBQcBiT6rprG8aa2O2EqCJWS8YGuITOeN:yTvC/MTQYxsWR7aa2AxHAO
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.agrosparta.gr - Port:
587 - Username:
sales@agrosparta.gr - Password:
Agrosparta1209 - Email To:
jose.oliveirea655@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2668-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2668-32-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2668-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2668-32-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2668-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2668-32-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2668-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2668-32-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2668-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2668-32-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2668-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2668-32-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Drops startup file 1 IoCs
Processes:
Laddonia.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs Laddonia.exe -
Executes dropped EXE 1 IoCs
Processes:
Laddonia.exepid process 2592 Laddonia.exe -
Loads dropped DLL 1 IoCs
Processes:
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exepid process 2136 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe" RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Dalymore\Laddonia.exe autoit_exe C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe autoit_exe C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Laddonia.exedescription pid process target process PID 2592 set thread context of 2668 2592 Laddonia.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2668 RegSvcs.exe 2668 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Laddonia.exepid process 2592 Laddonia.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2668 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exeLaddonia.exepid process 2136 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe 2136 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe 2592 Laddonia.exe 2592 Laddonia.exe 2592 Laddonia.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exeLaddonia.exepid process 2136 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe 2136 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe 2592 Laddonia.exe 2592 Laddonia.exe 2592 Laddonia.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exeLaddonia.exedescription pid process target process PID 2136 wrote to memory of 2592 2136 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe Laddonia.exe PID 2136 wrote to memory of 2592 2136 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe Laddonia.exe PID 2136 wrote to memory of 2592 2136 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe Laddonia.exe PID 2136 wrote to memory of 2592 2136 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe Laddonia.exe PID 2592 wrote to memory of 2668 2592 Laddonia.exe RegSvcs.exe PID 2592 wrote to memory of 2668 2592 Laddonia.exe RegSvcs.exe PID 2592 wrote to memory of 2668 2592 Laddonia.exe RegSvcs.exe PID 2592 wrote to memory of 2668 2592 Laddonia.exe RegSvcs.exe PID 2592 wrote to memory of 2668 2592 Laddonia.exe RegSvcs.exe PID 2592 wrote to memory of 2668 2592 Laddonia.exe RegSvcs.exe PID 2592 wrote to memory of 2668 2592 Laddonia.exe RegSvcs.exe PID 2592 wrote to memory of 2668 2592 Laddonia.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe"C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe"C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exeFilesize
15.5MB
MD58dc872cde456397f57918b1c79b07a8e
SHA18f71505d4b826af069f7b5089bef822470a5b9df
SHA25689810919aae95594827deaf0172f101aa1f12a4f85bb2da58b8f094f78147200
SHA512ff66d71471ca97213770a92c33df06147431fa3475b91fee58a6d59fe16cd6e9388a25826995a6b84c754d22c346162cb796179184f03d2902039be3b7dc3743
-
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exeFilesize
15.5MB
MD56625385f95f0ffe1859b1fae768d6fdc
SHA152f8d2e2c514e112e11289aa76415ea029290928
SHA25630703adc0a01467d13ab2f9b7b6012eacfbbb221e9f07da57998cf406a58538d
SHA51205005fee10363d048ab86fdaec7f1f8f384353588d03cf8419000a2b8ba061fd1817d9ee561590e6eb118af530657db8ef087e33cae65b3b1f59c6a5e535021b
-
C:\Users\Admin\AppData\Local\Temp\uppishlyMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Dalymore\Laddonia.exeFilesize
10.2MB
MD51a4a50919cd35efad9002257263e8b47
SHA175591e6df5b8e2e083558b0433e270f60bfa6fe2
SHA256bc059a5517fd70d38073c73d44add9e1d3fa61be2fd0022284c54d3099837535
SHA512a395eb6bcc6e7ac946ae468cde682bffff99cfd5846089a5a9372af25cda0d9aac01b49806ab9ebe286663d64a5c58df4a74a3770c0ff7b01a6b4a1c174b4da6
-
memory/2136-10-0x0000000000120000-0x0000000000124000-memory.dmpFilesize
16KB
-
memory/2668-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2668-32-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2668-35-0x0000000073E50000-0x000000007453E000-memory.dmpFilesize
6.9MB
-
memory/2668-36-0x0000000000340000-0x0000000000380000-memory.dmpFilesize
256KB
-
memory/2668-38-0x0000000073E50000-0x000000007453E000-memory.dmpFilesize
6.9MB
-
memory/2668-39-0x0000000000340000-0x0000000000380000-memory.dmpFilesize
256KB