Analysis
-
max time kernel
43s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 09:36
Static task
static1
Behavioral task
behavioral1
Sample
TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe
Resource
win10v2004-20240508-en
General
-
Target
TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe
-
Size
1.0MB
-
MD5
a494e3769a2f84e1338583c536444d2b
-
SHA1
50e68f707dce4a35bd6a140efbe33c26c780f0ae
-
SHA256
377df318502b404bf7b0a8cb059aa3eba749e06b366e13c393ebfd588b4a6b7b
-
SHA512
76b148e3df7d06eaa716f5c38240aee3060fcaf9abbcb4e2b959539a1494d986218bd89a71ab2eaa223a11509edbeb2c6091d825f05b1b8e28b3b70d2d56f2be
-
SSDEEP
24576:WAHnh+eWsN3skA4RV1Hom2KXMmHaQLGWvk2Ys5:xh+ZkldoPK8YaQLGWvRv
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.laboratoriosvilla.com.mx - Port:
587 - Username:
[email protected] - Password:
WZ,2pliw#L)D - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KaGeys = "C:\\Users\\Admin\\AppData\\Roaming\\KaGeys\\KaGeys.exe" RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 5 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exedescription pid process target process PID 3908 set thread context of 4632 3908 TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 4632 RegSvcs.exe 4632 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exepid process 3908 TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe 3908 TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 4632 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exepid process 3908 TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe 3908 TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exepid process 3908 TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe 3908 TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exedescription pid process target process PID 3908 wrote to memory of 4632 3908 TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe RegSvcs.exe PID 3908 wrote to memory of 4632 3908 TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe RegSvcs.exe PID 3908 wrote to memory of 4632 3908 TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe RegSvcs.exe PID 3908 wrote to memory of 4632 3908 TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\TNT AWB AND COMMERCAIL INVOICE TRACKING DETAILS.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632