Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-09-2024 13:24
Behavioral task
behavioral1
Sample
z11FACTURA0987654567800.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
z11FACTURA0987654567800.exe
Resource
win10v2004-20240802-en
General
-
Target
z11FACTURA0987654567800.exe
-
Size
850KB
-
MD5
4c086ea2cf962b2584e7cc978092f414
-
SHA1
684a0a66447920947ce272d1db6479bac184d34b
-
SHA256
ca690123d14bd3632ab53a076f8bfb7bd2176248af6b735af9719aca77a024b5
-
SHA512
ea1aa1eb3d50c4f91d55538665cc2f32d470d6aae4b8decb14c508a67b7c8a7a8c7e02eecc7bd9553281cac21933b463bebc14046c1a48b8a9f269d27a5a13de
-
SSDEEP
24576:tthEVaPqLaxPrH9DZJ7jPiOrxScRujiCEj5uuv:VEVUcuZZJ7xE6v
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.antoniomayol.com:21 - Port:
21 - Username:
johnson@antoniomayol.com - Password:
cMhKDQUk1{;%
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs Glagolitic.exe -
Executes dropped EXE 1 IoCs
pid Process 2884 Glagolitic.exe -
Loads dropped DLL 1 IoCs
pid Process 2732 z11FACTURA0987654567800.exe -
resource yara_rule behavioral1/memory/2732-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x00060000000186b7-5.dat upx behavioral1/memory/2884-10-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2732-9-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2884-23-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2732-26-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2732-9-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2884-23-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2732-26-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2884 set thread context of 2180 2884 Glagolitic.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language z11FACTURA0987654567800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glagolitic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2180 RegSvcs.exe 2180 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2884 Glagolitic.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2180 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2884 2732 z11FACTURA0987654567800.exe 30 PID 2732 wrote to memory of 2884 2732 z11FACTURA0987654567800.exe 30 PID 2732 wrote to memory of 2884 2732 z11FACTURA0987654567800.exe 30 PID 2732 wrote to memory of 2884 2732 z11FACTURA0987654567800.exe 30 PID 2884 wrote to memory of 2180 2884 Glagolitic.exe 31 PID 2884 wrote to memory of 2180 2884 Glagolitic.exe 31 PID 2884 wrote to memory of 2180 2884 Glagolitic.exe 31 PID 2884 wrote to memory of 2180 2884 Glagolitic.exe 31 PID 2884 wrote to memory of 2180 2884 Glagolitic.exe 31 PID 2884 wrote to memory of 2180 2884 Glagolitic.exe 31 PID 2884 wrote to memory of 2180 2884 Glagolitic.exe 31 PID 2884 wrote to memory of 2180 2884 Glagolitic.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\z11FACTURA0987654567800.exe"C:\Users\Admin\AppData\Local\Temp\z11FACTURA0987654567800.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\prespecialist\Glagolitic.exe"C:\Users\Admin\AppData\Local\Temp\z11FACTURA0987654567800.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\z11FACTURA0987654567800.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
Network
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
362 B 562 B 6 5
HTTP Request
GET http://ip-api.com/line/?fields=hostingHTTP Response
200
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239KB
MD5b49fdffa8438252950fe828a340b352a
SHA10b2dbe5b13cb2502db47fc641ac734d397e8c8bc
SHA2567653bfa4c3576106d6c415cf2ba6b709b8f89dfd083faf5798a627a4e323850d
SHA512f7be5a41484a8cda2f5c95cc9636c3313646f27f2dde16ad480e50dfce47c01c7289928386e8c5932c21ba8fa0643a1c8cac2e72e337ab13b9c9adf90d507e41
-
Filesize
850KB
MD54c086ea2cf962b2584e7cc978092f414
SHA1684a0a66447920947ce272d1db6479bac184d34b
SHA256ca690123d14bd3632ab53a076f8bfb7bd2176248af6b735af9719aca77a024b5
SHA512ea1aa1eb3d50c4f91d55538665cc2f32d470d6aae4b8decb14c508a67b7c8a7a8c7e02eecc7bd9553281cac21933b463bebc14046c1a48b8a9f269d27a5a13de