Analysis
-
max time kernel
83s -
max time network
112s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 15:28
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT 00251,8301,66329.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
PAYMENT 00251,8301,66329.exe
Resource
win10v2004-20240802-en
General
-
Target
PAYMENT 00251,8301,66329.exe
-
Size
77.0MB
-
MD5
54d5035f6e0651a42081bbf94c992575
-
SHA1
356a2631c588d5b5bc67999a0c3ea5f9233af4b2
-
SHA256
dcc7a889e4a2b801932f6389e657c4d3c6c3974af4044801ab68379cc2b600e0
-
SHA512
f6f3ff19c338b9a7ae00f0b1fc01c9f995a659088ec49bafacb503b4ffe8964eb03795a6cde61dd645a727edac20deabdcf5534ba4b876de74c68bfa9b454a48
-
SSDEEP
24576:uRmJkcoQricOIQxiZY1iaCOnJQmut27bcalIZhgQAx:7JZoQrbTFZY1iaCOnJButijlIKx
Malware Config
Extracted
Protocol: smtp- Host:
mail.flujoauditorias.cl - Port:
587 - Username:
[email protected] - Password:
l;0jGu7J;z_a
Extracted
agenttesla
Protocol: smtp- Host:
mail.flujoauditorias.cl - Port:
587 - Username:
[email protected] - Password:
l;0jGu7J;z_a - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2320 set thread context of 3032 2320 PAYMENT 00251,8301,66329.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PAYMENT 00251,8301,66329.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3032 RegSvcs.exe 3032 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2320 PAYMENT 00251,8301,66329.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3032 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2320 PAYMENT 00251,8301,66329.exe 2320 PAYMENT 00251,8301,66329.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2320 PAYMENT 00251,8301,66329.exe 2320 PAYMENT 00251,8301,66329.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2320 wrote to memory of 3032 2320 PAYMENT 00251,8301,66329.exe 29 PID 2320 wrote to memory of 3032 2320 PAYMENT 00251,8301,66329.exe 29 PID 2320 wrote to memory of 3032 2320 PAYMENT 00251,8301,66329.exe 29 PID 2320 wrote to memory of 3032 2320 PAYMENT 00251,8301,66329.exe 29 PID 2320 wrote to memory of 3032 2320 PAYMENT 00251,8301,66329.exe 29 PID 2320 wrote to memory of 3032 2320 PAYMENT 00251,8301,66329.exe 29 PID 2320 wrote to memory of 3032 2320 PAYMENT 00251,8301,66329.exe 29 PID 2320 wrote to memory of 3032 2320 PAYMENT 00251,8301,66329.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT 00251,8301,66329.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT 00251,8301,66329.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT 00251,8301,66329.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-