Overview

overview

10

Static

static

1

de compra ...01.exe

windows7-x64

10

de compra ...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2024 01:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de compra BF-161000401.exe

  • Size

    1.8MB

  • MD5

    5cefc3cb0c3ae4641ad13cc1ba4fdb8d

  • SHA1

    6b6a9b062c03bfc1d424e04335bc845ee72a1647

  • SHA256

    83f12ad49ad0352bf087afe66a5bf55fd5fe0b1fff08415454280173612f60d3

  • SHA512

    4e1157c778da1de34ec5b94a12f9974ebe2a286f48a7a1023cefd0f2d333569a7c83e9b76604c4275bd36213e1de8aba27215d4c094eb6ae2f5d24f478b09059

  • SSDEEP

    49152:nnVL3gGsHkejStio5c3+Jbh8704UOsCuOS:nxg1Dj41S00sCuB

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.grupovamex.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    tTgUWMBntHIE

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de compra BF-161000401.exe
    "C:\Users\Admin\AppData\Local\Temp\de compra BF-161000401.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Users\Admin\AppData\Local\Temp\de compra BF-161000401.exe
      "C:\Users\Admin\AppData\Local\Temp\de compra BF-161000401.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\de compra BF-161000401.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2200-11-0x0000000000400000-0x0000000000501000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2200-28-0x0000000000400000-0x0000000000501000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2200-26-0x0000000002060000-0x0000000002064000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2200-15-0x0000000000400000-0x0000000000501000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2200-14-0x0000000000400000-0x0000000000501000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2200-12-0x0000000000400000-0x0000000000501000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4212-29-0x000000007429E000-0x000000007429F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4212-27-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4212-35-0x0000000074290000-0x0000000074A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4212-34-0x000000007429E000-0x000000007429F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4212-32-0x0000000006520000-0x0000000006570000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4212-31-0x0000000074290000-0x0000000074A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4212-30-0x0000000005770000-0x00000000057D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4900-6-0x0000000005E10000-0x0000000005E1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4900-3-0x0000000005910000-0x00000000059A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4900-2-0x0000000005E20000-0x00000000063C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4900-4-0x0000000005A50000-0x0000000005DA4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4900-1-0x0000000000D80000-0x0000000000F4A000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4900-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4900-5-0x0000000074AB0000-0x0000000075260000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4900-7-0x0000000008620000-0x000000000863A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4900-10-0x0000000007080000-0x000000000711C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4900-33-0x0000000074AB0000-0x0000000075260000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4900-9-0x0000000008A70000-0x0000000008BD0000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4900-8-0x0000000006FA0000-0x0000000006FAE000-memory.dmp

    Filesize

    56KB

    Download