Overview

overview

10

Static

static

3

Thermo Fis...07.exe

windows7-x64

7

Thermo Fis...07.exe

windows10-2004-x64

10

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/08/2024, 05:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Thermo Fisher RFQ_TFS-1207.exe

  • Size

    590KB

  • MD5

    9768c048c979aeeeeb051574d452b626

  • SHA1

    414d48d77fc71d29e58a92d02fa2d770fb854339

  • SHA256

    19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba

  • SHA512

    9153c973c3ed1f5f1964671e084b1bd764d9850fd87feab3a78acf417178d8f32ee6c16c044020979066bf4b2ad7e2e1e3449a7df3954f78ab9ce9ea649c9bce

  • SSDEEP

    12288:QG05Z3OJwnoJIn8f/FAOeanklK9N8QGMi7B1mSwIhCjVnj:QGz4om8ftAOLKwuQWB1mSlCjVj

Score
10/10
agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Loads dropped DLL 10 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Thermo Fisher RFQ_TFS-1207.exe
    "C:\Users\Admin\AppData\Local\Temp\Thermo Fisher RFQ_TFS-1207.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Program Files (x86)\windows mail\wab.exe
      "C:\Users\Admin\AppData\Local\Temp\Thermo Fisher RFQ_TFS-1207.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsa6061.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    549ee11198143574f4d9953198a09fe8

    SHA1

    2e89ba5f30e1c1c4ce517f28ec1505294bb6c4c1

    SHA256

    131aa0df90c08dce2eecee46cce8759e9afff04bf15b7b0002c2a53ae5e92c36

    SHA512

    0fb4cea4fd320381fe50c52d1c198261f0347d6dcee857917169fcc3e2083ed4933beff708e81d816787195cca050f3f5f9c5ac9cc7f781831b028ef5714bec8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsa6061.tmp\System.dll
    Filesize

    12KB

    MD5

    192639861e3dc2dc5c08bb8f8c7260d5

    SHA1

    58d30e460609e22fa0098bc27d928b689ef9af78

    SHA256

    23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

    SHA512

    6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsa6061.tmp\UserInfo.dll
    Filesize

    4KB

    MD5

    f8b6dd1f9620be4ef2ad1e81fb6b79fa

    SHA1

    f06c8c8650335bace41c8dbe73307cbe4e61b3b1

    SHA256

    a921cc9cc4af332be96186d60d2539cb413dfa44cfd73e85687f9338505ff85e

    SHA512

    f15811088ecde4cd0c038db2c278b7214e41728e382b25c65c2eb491bc0379c075841398e8c99e8cceba8be7e8342bc69d35836ebe9b12ebebff48d01d5fa61a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsa6061.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    b7d61f3f56abf7b7ff0d4e7da3ad783d

    SHA1

    15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

    SHA256

    89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

    SHA512

    6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsa6061.tmp\nsExec.dll
    Filesize

    7KB

    MD5

    11092c1d3fbb449a60695c44f9f3d183

    SHA1

    b89d614755f2e943df4d510d87a7fc1a3bcf5a33

    SHA256

    2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

    SHA512

    c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

    Download Submit

  • memory/2020-43-0x0000000077291000-0x00000000773B1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2020-44-0x0000000077291000-0x00000000773B1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2020-45-0x0000000073EE5000-0x0000000073EE6000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3772-51-0x0000000000E00000-0x0000000002054000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3772-56-0x0000000037F70000-0x0000000037FD6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3772-46-0x0000000077318000-0x0000000077319000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3772-52-0x0000000077291000-0x00000000773B1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3772-53-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3772-54-0x0000000000E00000-0x0000000000E40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3772-55-0x0000000038320000-0x00000000388C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3772-47-0x0000000077335000-0x0000000077336000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3772-57-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3772-59-0x00000000380F0000-0x0000000038140000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3772-60-0x00000000381E0000-0x0000000038272000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3772-61-0x0000000038140000-0x000000003814A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3772-62-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3772-63-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download