Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 13:18
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT 00251,8301,66329.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
PAYMENT 00251,8301,66329.exe
Resource
win10v2004-20240802-en
General
-
Target
PAYMENT 00251,8301,66329.exe
-
Size
77.0MB
-
MD5
54d5035f6e0651a42081bbf94c992575
-
SHA1
356a2631c588d5b5bc67999a0c3ea5f9233af4b2
-
SHA256
dcc7a889e4a2b801932f6389e657c4d3c6c3974af4044801ab68379cc2b600e0
-
SHA512
f6f3ff19c338b9a7ae00f0b1fc01c9f995a659088ec49bafacb503b4ffe8964eb03795a6cde61dd645a727edac20deabdcf5534ba4b876de74c68bfa9b454a48
-
SSDEEP
24576:uRmJkcoQricOIQxiZY1iaCOnJQmut27bcalIZhgQAx:7JZoQrbTFZY1iaCOnJButijlIKx
Malware Config
Extracted
Protocol: smtp- Host:
mail.flujoauditorias.cl - Port:
587 - Username:
[email protected] - Password:
l;0jGu7J;z_a
Extracted
agenttesla
Protocol: smtp- Host:
mail.flujoauditorias.cl - Port:
587 - Username:
[email protected] - Password:
l;0jGu7J;z_a - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2084 set thread context of 2324 2084 PAYMENT 00251,8301,66329.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PAYMENT 00251,8301,66329.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2324 RegSvcs.exe 2324 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2084 PAYMENT 00251,8301,66329.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2324 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2084 PAYMENT 00251,8301,66329.exe 2084 PAYMENT 00251,8301,66329.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2084 PAYMENT 00251,8301,66329.exe 2084 PAYMENT 00251,8301,66329.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2324 2084 PAYMENT 00251,8301,66329.exe 30 PID 2084 wrote to memory of 2324 2084 PAYMENT 00251,8301,66329.exe 30 PID 2084 wrote to memory of 2324 2084 PAYMENT 00251,8301,66329.exe 30 PID 2084 wrote to memory of 2324 2084 PAYMENT 00251,8301,66329.exe 30 PID 2084 wrote to memory of 2324 2084 PAYMENT 00251,8301,66329.exe 30 PID 2084 wrote to memory of 2324 2084 PAYMENT 00251,8301,66329.exe 30 PID 2084 wrote to memory of 2324 2084 PAYMENT 00251,8301,66329.exe 30 PID 2084 wrote to memory of 2324 2084 PAYMENT 00251,8301,66329.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT 00251,8301,66329.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT 00251,8301,66329.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT 00251,8301,66329.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-