Overview

overview

10

Static

static

3

CONSULTA#1...RE.exe

windows7-x64

10

CONSULTA#1...RE.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    142s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CONSULTA#1604045 MATERIAL DE MUESTRA SEPTIEMBRE.exe

  • Size

    605KB

  • MD5

    c6c117c18fead29fb0e5393139d0b0f2

  • SHA1

    73a18e382de6516dac2ffb386a7fbcbcd3bb4101

  • SHA256

    65a95ebb11d9f2916453cb3c2b7e45b583ba360af7bfd915547de103b78cfe5e

  • SHA512

    d92b5c3064bf186bf716f154df5a4c8309d359176a3f5abdb5ba317f3c6a6811afe4793349195b9471af7c176f74ad31835233ca1e18ba883382e820bcf58aca

  • SSDEEP

    12288:LziLE5mL2ElK5ZaogX46imb569QKOI5nETg9V0baQCtxNwho5aMqHF:CwIL2xZaomziC569H/9GajtjL5aMW

Score
10/10
agentteslacredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.zoho.eu
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    office12#

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Loads dropped DLL 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CONSULTA#1604045 MATERIAL DE MUESTRA SEPTIEMBRE.exe
    "C:\Users\Admin\AppData\Local\Temp\CONSULTA#1604045 MATERIAL DE MUESTRA SEPTIEMBRE.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Local\Temp\CONSULTA#1604045 MATERIAL DE MUESTRA SEPTIEMBRE.exe
      "C:\Users\Admin\AppData\Local\Temp\CONSULTA#1604045 MATERIAL DE MUESTRA SEPTIEMBRE.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab14CA.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar14ED.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsd99D2.tmp
    Filesize

    65B

    MD5

    1bd5509d17a385dbcebec5b71de8dffc

    SHA1

    9d70c3f205dddda5e33e5de97c0a09feb6836130

    SHA256

    2bad3065546719b1e5ff58cb7ca6231b6cb669fb1fd06fb30102e9df00d63e60

    SHA512

    ca43f9d62ad2c3b950b816274869a1c0bd22b77bbb80fc810783ef23b9317362132fb2f29510bb51f4d00940d8c9038b5700560b6f1e38722b2e65037c148bbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsd9A21.tmp
    Filesize

    6B

    MD5

    50484c19f1afdaf3841a0d821ed393d2

    SHA1

    c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b

    SHA256

    6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c

    SHA512

    d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsd9A21.tmp
    Filesize

    23B

    MD5

    8c367f7037d83ec5fc0be4bcd16dba9d

    SHA1

    0efc8b29b482afae9aaceef0d80a138ab9b527a9

    SHA256

    6f470f6196119f505cd2d1b132c50c06fd6522bbd6ffc95b992212093221b637

    SHA512

    356e4ee6b5572b174084957b61e2aaea850486e2c087b87019bcb7565013d86aadffdc1f3e70ec4c77be108519ce312a2db1896584a738d631c190c03f5fec56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsd9A21.tmp
    Filesize

    42B

    MD5

    a736abcb9380cc3122c530302f713c8b

    SHA1

    04b4d0d386bd0ade20409730e8160c5c713fb36b

    SHA256

    5e8f7f2bad61bc10fa2f647e1367a29053166799244128a74508cc3c3a760c08

    SHA512

    234d99b774a992d86762c9d298dc62d612219234db760a259d6e21ed9d1f10dd810aefb4d9c82af254ceb7d64ff2811772dfc4350ccdfd4375f01a7b801cc333

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsd9A21.tmp
    Filesize

    52B

    MD5

    5d04a35d3950677049c7a0cf17e37125

    SHA1

    cafdd49a953864f83d387774b39b2657a253470f

    SHA256

    a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

    SHA512

    c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst9A81.tmp
    Filesize

    44B

    MD5

    7253ff94016e70394bc0a6c33e7ed8fe

    SHA1

    abb1782294b49db34caced8dced28b84edbfcee9

    SHA256

    405be71f7bbc7a55b0ce4f224c2adc4b22f0965e02f574088c30c5501a0077b5

    SHA512

    169822e74b941c38761558080a2be2a8233c6af6d2a09b1c772bcb1aa8f758bef8fb4f6fd90e6c3894ecfcf198edb4aa5be659fcdb23b814f14e204cc5396857

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst9A81.tmp
    Filesize

    56B

    MD5

    8ccb0932855a1ffe032cee4d39a97f5c

    SHA1

    76131da7f01ef73db35b01357e9bd65f018f259d

    SHA256

    7556233f3d86deaa74a8db71b44ebc802d4e8b4913e2dba5a8eff2df8eeb3612

    SHA512

    84a4f728719d472f44a29c7bae197cdccc40a6a3fa7d4fb46014429b53998e32f60b8cc3de5932aff3488ae25bcb9a67e4af0ccff478113ce576c9f236844b19

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst9AD0.tmp
    Filesize

    8B

    MD5

    0aff9fdb7bae79c535cbdbb7f3ecb028

    SHA1

    cb32be0ca11c3fb6ede60d578af91f0aa21af6e5

    SHA256

    09db256670b92566a3108f5913d78b8b872c473340abf48cda2af7ca33cec3df

    SHA512

    f52bb5b8846dadea41f8951a40258813d6c3f40328996945c23c6f4588e7e8bb5bbdd7f83bf0da45b123c14a1c826dd7e4f8439bbe4a9888d238848222530995

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nst9AD0.tmp
    Filesize

    30B

    MD5

    f15bfdebb2df02d02c8491bde1b4e9bd

    SHA1

    93bd46f57c3316c27cad2605ddf81d6c0bde9301

    SHA256

    c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

    SHA512

    1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsy9A51.tmp
    Filesize

    60B

    MD5

    5540f2eb7e351633a36a50098bb3aec7

    SHA1

    1c8ab822b73d242ab05789046b631859c6f8dbc7

    SHA256

    ee4fcb5ac33527a7be215ff98e7b89f000180d5cc319da66b566999541f3b35c

    SHA512

    34d4226685e9273c5ea0b74058ca644a7fc46fca115256e3c890bc6cd786c89a7a7deb4eec45311fd8c187e469ccd7ac146827cca80ba46dc19d23c381532003

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso99C2.tmp\System.dll
    Filesize

    11KB

    MD5

    17ed1c86bd67e78ade4712be48a7d2bd

    SHA1

    1cc9fe86d6d6030b4dae45ecddce5907991c01a0

    SHA256

    bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

    SHA512

    0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

    Download Submit

  • memory/1028-569-0x0000000077460000-0x0000000077609000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1028-571-0x0000000000470000-0x00000000014D2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1028-572-0x0000000000470000-0x00000000014D2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1028-573-0x0000000000470000-0x00000000004B4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2172-567-0x0000000077461000-0x0000000077562000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2172-568-0x0000000077460000-0x0000000077609000-memory.dmp

    Filesize

    1.7MB

    Download