Overview

overview

10

Static

static

3

SPECIFICATIONS.exe

windows7-x64

10

SPECIFICATIONS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 06:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SPECIFICATIONS.exe

  • Size

    2.5MB

  • MD5

    8dcde8d3e5361e46c9a0eb3a7c559b6a

  • SHA1

    a2bec0f3c99c9197443bc161233ec19678172952

  • SHA256

    a19e8babf5efa761ff04475ae8db2e359e1d74f19ebb81cb59c57aa07ab9390e

  • SHA512

    005ccb5697e533fcbd782509cdb19c381a8bbf3af35f6282456a4236bd5793109da8b81296140496755ca608f93cde4c963f46c5d8694caf5c7c66e194de006c

  • SSDEEP

    12288:l7d5M1YVb+stU0vbzqD7wngYZW34lM5G7KSvicVcDD:K1YU1UbzMOyU69eVcDD

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.ercolina-usa.com
  • Port:
    21
  • Username:
    me@ercolina-usa.com
  • Password:
    uy,o#mZj8$lY

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.ercolina-usa.com
  • Port:
    21
  • Username:
    me@ercolina-usa.com
  • Password:
    uy,o#mZj8$lY

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS.exe
    "C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2320
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2340 -s 624
      2⤵
        PID:2916

    Network

    • flag-us
      DNS
      api.ipify.org
      CasPol.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
      Response
      api.ipify.org
      IN A
      172.67.74.152
      api.ipify.org
      IN A
      104.26.12.205
      api.ipify.org
      IN A
      104.26.13.205
    • flag-us
      GET
      https://api.ipify.org/
      CasPol.exe
      Remote address:
      172.67.74.152:443
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
      Host: api.ipify.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Tue, 25 Jun 2024 06:28:12 GMT
      Content-Type: text/plain
      Content-Length: 14
      Connection: keep-alive
      Vary: Origin
      CF-Cache-Status: DYNAMIC
      Server: cloudflare
      CF-RAY: 8992e56bd9bc24ae-LHR
    • flag-us
      DNS
      pki.goog
      CasPol.exe
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN A
      Response
      pki.goog
      IN A
      216.239.32.29
    • flag-us
      GET
      http://pki.goog/gsr1/gsr1.crt
      CasPol.exe
      Remote address:
      216.239.32.29:80
      Request
      GET /gsr1/gsr1.crt HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: pki.goog
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 889
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Tue, 25 Jun 2024 05:47:23 GMT
      Expires: Tue, 25 Jun 2024 06:37:23 GMT
      Cache-Control: public, max-age=3000
      Age: 2449
      Last-Modified: Wed, 20 May 2020 16:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      DNS
      www.microsoft.com
      CasPol.exe
      Remote address:
      8.8.8.8:53
      Request
      www.microsoft.com
      IN A
      Response
      www.microsoft.com
      IN CNAME
      www.microsoft.com-c-3.edgekey.net
      www.microsoft.com-c-3.edgekey.net
      IN CNAME
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      IN CNAME
      e13678.dscb.akamaiedge.net
      e13678.dscb.akamaiedge.net
      IN A
      23.55.97.181
    • flag-us
      DNS
      ftp.ercolina-usa.com
      CasPol.exe
      Remote address:
      8.8.8.8:53
      Request
      ftp.ercolina-usa.com
      IN A
      Response
      ftp.ercolina-usa.com
      IN CNAME
      ercolina-usa.com
      ercolina-usa.com
      IN A
      192.254.225.136
    • 172.67.74.152:443
      https://api.ipify.org/
      tls, http
      CasPol.exe
      996 B
       5.4kB
       11
      10

      HTTP Request

      GET https://api.ipify.org/

      HTTP Response

      200
    • 216.239.32.29:80
      http://pki.goog/gsr1/gsr1.crt
      http
      CasPol.exe
      351 B
       1.8kB
       5
      4

      HTTP Request

      GET http://pki.goog/gsr1/gsr1.crt

      HTTP Response

      200
    • 192.254.225.136:21
      ftp.ercolina-usa.com
      ftp
      CasPol.exe
      787 B
       1.3kB
       13
      16
    • 192.254.225.136:43551
      ftp.ercolina-usa.com
      CasPol.exe
      190 B
       132 B
       4
      3
    • 192.254.225.136:46145
      ftp.ercolina-usa.com
      CasPol.exe
      190 B
       92 B
       4
      2
    • 8.8.8.8:53
      api.ipify.org
      dns
      CasPol.exe
      59 B
       107 B
       1
      1

      DNS Request

      api.ipify.org

      DNS Response

      172.67.74.152
      104.26.12.205
      104.26.13.205

    • 8.8.8.8:53
      pki.goog
      dns
      CasPol.exe
      54 B
       70 B
       1
      1

      DNS Request

      pki.goog

      DNS Response

      216.239.32.29

    • 8.8.8.8:53
      www.microsoft.com
      dns
      CasPol.exe
      63 B
       230 B
       1
      1

      DNS Request

      www.microsoft.com

      DNS Response

      23.55.97.181

    • 8.8.8.8:53
      ftp.ercolina-usa.com
      dns
      CasPol.exe
      66 B
       96 B
       1
      1

      DNS Request

      ftp.ercolina-usa.com

      DNS Response

      192.254.225.136

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2320-10-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2320-14-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2320-39-0x0000000074740000-0x0000000074E2E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2320-38-0x000000007474E000-0x000000007474F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2320-4-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2320-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2320-17-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2320-15-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2320-19-0x0000000074740000-0x0000000074E2E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2320-18-0x000000007474E000-0x000000007474F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2320-8-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2320-6-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2340-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2340-1-0x0000000000F10000-0x0000000000F1C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2340-36-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2340-37-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2340-3-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2340-2-0x00000000009B0000-0x0000000000A46000-memory.dmp

      Filesize

      600KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.