Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 14:12
Static task
static1
Behavioral task
behavioral1
Sample
factura 7823378.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
factura 7823378.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
General
-
Target
factura 7823378.exe
-
Size
1.3MB
-
MD5
7741e296fc7876e2cf35e44ba4264f47
-
SHA1
265bb706ee04a4d3b6f23c87873bc7d5202c0de9
-
SHA256
938a507f1786d7badcc95dca38a1d9bdb78984b051a68a7fd70a1b872b36a2b2
-
SHA512
1caa387ded8ec1431cceba2def2abfdf53883fdb2c300d8a64de726f35e0a28f0036c29f0f2d894fcdcff6f6bcb6f827124ca6ca7419fa24d212d84ec5d21ffc
-
SSDEEP
24576:99Q0lIVTRJRqhx+pF/GMvtfc+DBy/U77VaaG8uosbrDqa1VHWTcSdmWDxbLn/ohK:LQ0lsRzeMp8MtftD4M77YoOrDX1l2xb3
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.biotem.com.tr - Port:
587 - Username:
[email protected] - Password:
alesta.,alesta., - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL 1 IoCs
Processes:
factura 7823378.exepid process 2768 factura 7823378.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
factura 7823378.exepid process 2708 factura 7823378.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
factura 7823378.exefactura 7823378.exepid process 2768 factura 7823378.exe 2708 factura 7823378.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
factura 7823378.exedescription pid process target process PID 2768 set thread context of 2708 2768 factura 7823378.exe factura 7823378.exe -
Drops file in Program Files directory 1 IoCs
Processes:
factura 7823378.exedescription ioc process File opened for modification C:\Program Files (x86)\konvoluterer\Forsikringsinspektrer.ini factura 7823378.exe -
Drops file in Windows directory 1 IoCs
Processes:
factura 7823378.exedescription ioc process File opened for modification C:\Windows\mycelian\sempitern.ini factura 7823378.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
factura 7823378.exepid process 2708 factura 7823378.exe 2708 factura 7823378.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
factura 7823378.exepid process 2768 factura 7823378.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
factura 7823378.exedescription pid process Token: SeDebugPrivilege 2708 factura 7823378.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
factura 7823378.exedescription pid process target process PID 2768 wrote to memory of 2708 2768 factura 7823378.exe factura 7823378.exe PID 2768 wrote to memory of 2708 2768 factura 7823378.exe factura 7823378.exe PID 2768 wrote to memory of 2708 2768 factura 7823378.exe factura 7823378.exe PID 2768 wrote to memory of 2708 2768 factura 7823378.exe factura 7823378.exe PID 2768 wrote to memory of 2708 2768 factura 7823378.exe factura 7823378.exe PID 2768 wrote to memory of 2708 2768 factura 7823378.exe factura 7823378.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\factura 7823378.exe"C:\Users\Admin\AppData\Local\Temp\factura 7823378.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\factura 7823378.exe"C:\Users\Admin\AppData\Local\Temp\factura 7823378.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5b8992e497d57001ddf100f9c397fcef5
SHA1e26ddf101a2ec5027975d2909306457c6f61cfbd
SHA25698bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b
SHA5128823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c