Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 02:41
Static task
static1
Behavioral task
behavioral1
Sample
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
Resource
win10v2004-20240226-en
General
-
Target
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
-
Size
1.1MB
-
MD5
94176afdf3dfa9f3d145cedbc0128c70
-
SHA1
156be08e77a37f3faa48ca039e27b555429005b1
-
SHA256
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06
-
SHA512
79c624293a58a220f2e8157abfbdfcb233bc484f967f1c3dc18ef20ff9673cb82cb76098123c4305cbacf37892ca822df920402a4e07451b9fd71ff50d9a6c1e
-
SSDEEP
24576:yqDEvCTbMWu7rQYlBQcBiT6rprG8aa2O2EqCJWS8YGuITOeN:yTvC/MTQYxsWR7aa2AxHAO
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.agrosparta.gr - Port:
587 - Username:
sales@agrosparta.gr - Password:
Agrosparta1209 - Email To:
jose.oliveirea655@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2620-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2620-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2620-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2620-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2620-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2620-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Drops startup file 1 IoCs
Processes:
Laddonia.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs Laddonia.exe -
Executes dropped EXE 1 IoCs
Processes:
Laddonia.exepid process 4212 Laddonia.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe" RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 api.ipify.org 23 api.ipify.org -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe autoit_exe C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Laddonia.exedescription pid process target process PID 4212 set thread context of 2620 4212 Laddonia.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2620 RegSvcs.exe 2620 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Laddonia.exepid process 4212 Laddonia.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2620 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exeLaddonia.exepid process 4772 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe 4772 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe 4212 Laddonia.exe 4212 Laddonia.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exeLaddonia.exepid process 4772 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe 4772 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe 4212 Laddonia.exe 4212 Laddonia.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exeLaddonia.exedescription pid process target process PID 4772 wrote to memory of 4212 4772 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe Laddonia.exe PID 4772 wrote to memory of 4212 4772 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe Laddonia.exe PID 4772 wrote to memory of 4212 4772 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe Laddonia.exe PID 4212 wrote to memory of 2620 4212 Laddonia.exe RegSvcs.exe PID 4212 wrote to memory of 2620 4212 Laddonia.exe RegSvcs.exe PID 4212 wrote to memory of 2620 4212 Laddonia.exe RegSvcs.exe PID 4212 wrote to memory of 2620 4212 Laddonia.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe"C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe"C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exeFilesize
12.4MB
MD596fe56bc3d0d9816609bb9236ae13a0a
SHA19929d9e96ae40361db70e2e4ce4ad3bec1d909da
SHA2561358c6e4ca3ab332ece9216b6a6db8999f2198f9fa7917a4978dfab17904d0b5
SHA5121d242658315f6a9695079643bd56fd72897628566745aed8d707b36d73036faa72dafd453218acdb59cab6ecdf5457bc81cb78235e844a0b66a38fa832e11536
-
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exeFilesize
13.7MB
MD5703b729c7ee26aae7eff0dbf77a24e0c
SHA1c9dae8540c878ef1443b6bc9534bec29e85495e0
SHA256081389320867178944b948c4f0edc07cc050294f9490216d527fdbe84bed4071
SHA5129f5ee9c88ec3528f534b4d4c8ff19accd3fa9c91cfeca4943cae0359b289f102d77a018d1e9a3d453636d2199effd7ed10338a83ebeaea7c4a09edcb7fe9b8f3
-
C:\Users\Admin\AppData\Local\Temp\kinematicalMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2620-30-0x0000000005C20000-0x00000000061C4000-memory.dmpFilesize
5.6MB
-
memory/2620-28-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2620-29-0x0000000074850000-0x0000000075000000-memory.dmpFilesize
7.7MB
-
memory/2620-31-0x00000000058B0000-0x0000000005916000-memory.dmpFilesize
408KB
-
memory/2620-32-0x0000000005730000-0x0000000005740000-memory.dmpFilesize
64KB
-
memory/2620-34-0x0000000006CB0000-0x0000000006D00000-memory.dmpFilesize
320KB
-
memory/2620-35-0x0000000006DA0000-0x0000000006E32000-memory.dmpFilesize
584KB
-
memory/2620-36-0x0000000006D20000-0x0000000006D2A000-memory.dmpFilesize
40KB
-
memory/2620-37-0x0000000074850000-0x0000000075000000-memory.dmpFilesize
7.7MB
-
memory/2620-38-0x0000000005730000-0x0000000005740000-memory.dmpFilesize
64KB
-
memory/4772-10-0x00000000042B0000-0x00000000042B4000-memory.dmpFilesize
16KB