Overview

overview

10

Static

static

5

Shipping d...st.exe

windows7-x64

10

Shipping d...st.exe

windows10-2004-x64

10

Resubmissions

22-05-2024 05:49

240522-gjhfksea74 10

22-05-2024 05:48

240522-ghenasea27 5

Analysis

  • max time kernel
    2629s
  • max time network
    2281s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 05:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping documentsInvoice and Packing List.exe

  • Size

    1.1MB

  • MD5

    a78784673b95a0368e80d0f56481b2c9

  • SHA1

    d6c57ae123c5b98fa5e74c705ab2f0ebef60d859

  • SHA256

    d1597a1081547fc01a3cac3d22c31b5cd21ae2ad3b95c4b2a0fa75e9e77d204a

  • SHA512

    98df4367be9a9027062373e6f999971cf5d47c65be0348e0caf8fcceacd69702ac59bff7e61c55ed082edeafb929b7671022c8444618dc8ae6dc9613ae11cc23

  • SSDEEP

    24576:S4lavt0LkLL9IMixoEgea55qGbjauDaq9MmCS:Fkwkn9IMHea5L61aPCS

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7183646529:AAFkQSKmdVoaYTv19prcb1lxCwzZZaLys8o/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shipping documentsInvoice and Packing List.exe
    "C:\Users\Admin\AppData\Local\Temp\Shipping documentsInvoice and Packing List.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\directory\name.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipping documentsInvoice and Packing List.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\Shipping documentsInvoice and Packing List.exe"
        3⤵
          PID:324
        • C:\Users\Admin\AppData\Local\directory\name.exe
          "C:\Users\Admin\AppData\Local\directory\name.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:792
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Users\Admin\AppData\Local\directory\name.exe"
            4⤵
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Countee
      Filesize

      29KB

      MD5

      83b43c3ba378f65527a0676bf7b357e0

      SHA1

      89569a06b77983cc22169c9b5b744042a5b1185c

      SHA256

      bf7f819b62449f5a77fde0d2c1f5ec34e32a592c09f7aa26c54f04e59c20184a

      SHA512

      e03432cf2aae9cba35d8059afb7eda8121a601fd9c43cda41c10dc446b2bb9e0651fd0ffa03cf02e21e943a2219478cd46d6389a02d2bd5e781444b50c6c0a76

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aut5A80.tmp
      Filesize

      9KB

      MD5

      59fd22051a9596046c5e6be3537d5e82

      SHA1

      11deba020b7fabee274294142bfdbd5a40a70675

      SHA256

      7be2d6f8f889d688694040644fab4da1656f7d2b794fc0a37453002cc53e1aae

      SHA512

      d1e8b7b17bd9b7630ba9c20349b8066f8cb9480bd5ab719d9042818f0bb710046d9be08b3f9cf7a85f42bba48ef4ee37c1b41ccc8054f63926c5f7c6ecd4b248

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\deblateration
      Filesize

      262KB

      MD5

      b3e8ad5bb2d6f05dba9e38094cc44f05

      SHA1

      dc508fa1070fbc537dfc32bda0cddce6a4e9b540

      SHA256

      bc96a7c9983b56f1e036fd2e88e488851048930436d8f08b4a1ae920ef6254ef

      SHA512

      f638c1654cf91634cc5e41242d6c4d1b3f26a53dbfb47644920afab055579bfe03663eb9d83a42ef93817ffbfcc6ad315ca3134f992b9af9e63153681bc79b95

      Download Submit

    • memory/580-83-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-111-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-48-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/580-49-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/580-50-0x0000000002010000-0x0000000002064000-memory.dmp

      Filesize

      336KB

      Download

    • memory/580-51-0x00000000020B0000-0x0000000002102000-memory.dmp

      Filesize

      328KB

      Download

    • memory/580-65-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-67-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-95-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-53-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-75-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-55-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-87-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-57-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-59-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-61-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-73-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-1087-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/580-52-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-46-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/580-99-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-109-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-107-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-105-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-103-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-101-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-97-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-91-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-89-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-85-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-81-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-79-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-77-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-71-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-69-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-63-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/580-93-0x00000000020B0000-0x00000000020FD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1268-11-0x0000000000B70000-0x0000000000B74000-memory.dmp

      Filesize

      16KB

      Download