Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 01:32

General

  • Target

    f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe

  • Size

    1.0MB

  • MD5

    85f70dc6f29796d7d80aa3e290759058

  • SHA1

    7740df3b8105557f43347bbc0d0ba6bd42bf1eef

  • SHA256

    f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde

  • SHA512

    a502868f4c14cd57ba95bcf66389ab352408f8f7dda1500e495f13b08e6d3ddea88a41044b3933cc0fa3c2fbd0b67d54570b4f087803b194a0974d0057d684c3

  • SSDEEP

    24576:AAHnh+eWsN3skA4RV1Hom2KXMmHatfXP8UDdZu5:3h+ZkldoPK8Yat38UD8

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.antoniomayol.com:21
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    cMhKDQUk1{;%

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe
    "C:\Users\Admin\AppData\Local\Temp\f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Users\Admin\AppData\Local\quinquennia\obtenebrate.exe
      "C:\Users\Admin\AppData\Local\Temp\f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\juvenilely

    Filesize

    239KB

    MD5

    254ae003eb522aa351a5169d5981814e

    SHA1

    1c6fbb5bc853b427a4ca25b6f42e7cc6159f2902

    SHA256

    d07aa87ea35cd5c423e64d2d243a71c4b811431d2a172db549d22d21fcd18002

    SHA512

    d8bcd0a188926be1f7b17c487d1548a1efb3acdd09107ab59c36ddeba194c5025e681c861323067e79d6f4228dbd4c4f4fee953589570e7bec0bd932fe9ab3fe

  • C:\Users\Admin\AppData\Local\Temp\neophobic

    Filesize

    28KB

    MD5

    a77290f7366f589e1c7c6e6e348d6ad0

    SHA1

    f6f3ad8e761919fefdd9524e35489c463ce00bcc

    SHA256

    7ef623ce4f9abc5816b8f697f32befbf2d46dd68fe882aa106da9f64dbbdce13

    SHA512

    d9eacb91df819dc43c9e2b9dad44e5ef63b898a82ab482533e8bf84d44de2d42595c8720582d5ca0995989edfc5ac09f436ada395811d4a02cc700f517e6845d

  • \Users\Admin\AppData\Local\quinquennia\obtenebrate.exe

    Filesize

    1.0MB

    MD5

    85f70dc6f29796d7d80aa3e290759058

    SHA1

    7740df3b8105557f43347bbc0d0ba6bd42bf1eef

    SHA256

    f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde

    SHA512

    a502868f4c14cd57ba95bcf66389ab352408f8f7dda1500e495f13b08e6d3ddea88a41044b3933cc0fa3c2fbd0b67d54570b4f087803b194a0974d0057d684c3

  • memory/2632-30-0x0000000000090000-0x00000000000D2000-memory.dmp

    Filesize

    264KB

  • memory/2632-36-0x0000000000090000-0x00000000000D2000-memory.dmp

    Filesize

    264KB

  • memory/2632-32-0x0000000000090000-0x00000000000D2000-memory.dmp

    Filesize

    264KB

  • memory/2632-39-0x0000000000090000-0x00000000000D2000-memory.dmp

    Filesize

    264KB

  • memory/2632-40-0x00000000740FE000-0x00000000740FF000-memory.dmp

    Filesize

    4KB

  • memory/2632-41-0x00000000740F0000-0x00000000747DE000-memory.dmp

    Filesize

    6.9MB

  • memory/2632-42-0x00000000740FE000-0x00000000740FF000-memory.dmp

    Filesize

    4KB

  • memory/2632-43-0x00000000740F0000-0x00000000747DE000-memory.dmp

    Filesize

    6.9MB

  • memory/3008-10-0x00000000001F0000-0x00000000001F4000-memory.dmp

    Filesize

    16KB