Overview

overview

10

Static

static

3

pedido 24-...48.exe

windows7-x64

10

pedido 24-...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    29-04-2024 09:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pedido 24-NARC-00248.exe

  • Size

    675KB

  • MD5

    14e65321e8e87acf51a04209b59d575d

  • SHA1

    5bf2b65f5aa56a16cbe5c6c551ed7a6cabb4f2cb

  • SHA256

    fc87539e22a02272651741ae48f23ce39f83be4f282cf923f22d3aa58500d76b

  • SHA512

    f97125ffd012a7f3647323055dc2ed418f12d09b6d0fd2ac6204b462b9a1fd1c63da523a3510359eef926f4a0f283b23d8c600f1a602c83ef30cca1db806ffed

  • SSDEEP

    12288:3Olv312Z3Rv0n3HbZe7rA6LDP8W9ptv/C5CpOEHdoDcvuHqWKQS38vYZ:3OJ312ZRv23bZucQDfXCMXGCoqHQU8va

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.indra-precision.co.th
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    UW8f$y[fBOEs

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pedido 24-NARC-00248.exe
    "C:\Users\Admin\AppData\Local\Temp\pedido 24-NARC-00248.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1660-0-0x0000000000EF0000-0x0000000000FA0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1660-1-0x00000000746D0000-0x0000000074DBE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1660-2-0x0000000000E10000-0x0000000000E50000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1660-3-0x00000000005B0000-0x00000000005D0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1660-4-0x0000000000620000-0x0000000000634000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1660-5-0x0000000004F50000-0x0000000004FD6000-memory.dmp
    Filesize

    536KB

    Download
  • memory/1660-6-0x0000000000D90000-0x0000000000DD2000-memory.dmp
    Filesize

    264KB

    Download
  • memory/1660-7-0x00000000746D0000-0x0000000074DBE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1660-8-0x0000000000E10000-0x0000000000E50000-memory.dmp
    Filesize

    256KB

    Download