Analysis
-
max time kernel
135s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 19:59
Static task
static1
Behavioral task
behavioral1
Sample
ListadeembalajeydireccindeDHL.bat.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ListadeembalajeydireccindeDHL.bat.exe
Resource
win10v2004-20240802-en
General
-
Target
ListadeembalajeydireccindeDHL.bat.exe
-
Size
77.0MB
-
MD5
a2eb0cef8229b46e9b9a326289f9b25a
-
SHA1
ac18afedea384ff1fa3294c19fb05e20bb13966b
-
SHA256
3db464cfb18f44f0bd814e59789a76363c0db090afd595add448f8ca802284e2
-
SHA512
067f218450301f1d4b40214a42a9b85105d3c528d7056a335e043f44e756622bc1b6345a4135ebcc182516ff62414af3c73747563c5b95c8af713e0bf5a3fcc3
-
SSDEEP
24576:e4lavt0LkLL9IMixoEgea+rsiDPP/q9MmCS:Jkwkn9IMHea+zDPaPCS
Malware Config
Extracted
Protocol: smtp- Host:
mail.flujoauditorias.cl - Port:
587 - Username:
[email protected] - Password:
l;0jGu7J;z_a
Extracted
agenttesla
Protocol: smtp- Host:
mail.flujoauditorias.cl - Port:
587 - Username:
[email protected] - Password:
l;0jGu7J;z_a - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1076 set thread context of 2348 1076 ListadeembalajeydireccindeDHL.bat.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ListadeembalajeydireccindeDHL.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2348 RegSvcs.exe 2348 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1076 ListadeembalajeydireccindeDHL.bat.exe 1076 ListadeembalajeydireccindeDHL.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2348 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1076 ListadeembalajeydireccindeDHL.bat.exe 1076 ListadeembalajeydireccindeDHL.bat.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1076 ListadeembalajeydireccindeDHL.bat.exe 1076 ListadeembalajeydireccindeDHL.bat.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1076 wrote to memory of 2348 1076 ListadeembalajeydireccindeDHL.bat.exe 88 PID 1076 wrote to memory of 2348 1076 ListadeembalajeydireccindeDHL.bat.exe 88 PID 1076 wrote to memory of 2348 1076 ListadeembalajeydireccindeDHL.bat.exe 88 PID 1076 wrote to memory of 2348 1076 ListadeembalajeydireccindeDHL.bat.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\ListadeembalajeydireccindeDHL.bat.exe"C:\Users\Admin\AppData\Local\Temp\ListadeembalajeydireccindeDHL.bat.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\ListadeembalajeydireccindeDHL.bat.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-