Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2024 13:24

General

  • Target

    z11FACTURA0987654567800.exe

  • Size

    850KB

  • MD5

    4c086ea2cf962b2584e7cc978092f414

  • SHA1

    684a0a66447920947ce272d1db6479bac184d34b

  • SHA256

    ca690123d14bd3632ab53a076f8bfb7bd2176248af6b735af9719aca77a024b5

  • SHA512

    ea1aa1eb3d50c4f91d55538665cc2f32d470d6aae4b8decb14c508a67b7c8a7a8c7e02eecc7bd9553281cac21933b463bebc14046c1a48b8a9f269d27a5a13de

  • SSDEEP

    24576:tthEVaPqLaxPrH9DZJ7jPiOrxScRujiCEj5uuv:VEVUcuZZJ7xE6v

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.antoniomayol.com:21
  • Port:
    21
  • Username:
    johnson@antoniomayol.com
  • Password:
    cMhKDQUk1{;%

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\z11FACTURA0987654567800.exe
    "C:\Users\Admin\AppData\Local\Temp\z11FACTURA0987654567800.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Users\Admin\AppData\Local\prespecialist\Glagolitic.exe
      "C:\Users\Admin\AppData\Local\Temp\z11FACTURA0987654567800.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\z11FACTURA0987654567800.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2180

Network

  • flag-us
    DNS
    ip-api.com
    RegSvcs.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    RegSvcs.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 18 Sep 2024 13:24:21 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    RegSvcs.exe
    362 B
    562 B
    6
    5

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 8.8.8.8:53
    ip-api.com
    dns
    RegSvcs.exe
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\directiveness

    Filesize

    239KB

    MD5

    b49fdffa8438252950fe828a340b352a

    SHA1

    0b2dbe5b13cb2502db47fc641ac734d397e8c8bc

    SHA256

    7653bfa4c3576106d6c415cf2ba6b709b8f89dfd083faf5798a627a4e323850d

    SHA512

    f7be5a41484a8cda2f5c95cc9636c3313646f27f2dde16ad480e50dfce47c01c7289928386e8c5932c21ba8fa0643a1c8cac2e72e337ab13b9c9adf90d507e41

  • \Users\Admin\AppData\Local\prespecialist\Glagolitic.exe

    Filesize

    850KB

    MD5

    4c086ea2cf962b2584e7cc978092f414

    SHA1

    684a0a66447920947ce272d1db6479bac184d34b

    SHA256

    ca690123d14bd3632ab53a076f8bfb7bd2176248af6b735af9719aca77a024b5

    SHA512

    ea1aa1eb3d50c4f91d55538665cc2f32d470d6aae4b8decb14c508a67b7c8a7a8c7e02eecc7bd9553281cac21933b463bebc14046c1a48b8a9f269d27a5a13de

  • memory/2180-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2180-28-0x00000000746C0000-0x0000000074DAE000-memory.dmp

    Filesize

    6.9MB

  • memory/2180-27-0x00000000746CE000-0x00000000746CF000-memory.dmp

    Filesize

    4KB

  • memory/2180-25-0x00000000746C0000-0x0000000074DAE000-memory.dmp

    Filesize

    6.9MB

  • memory/2180-24-0x00000000746CE000-0x00000000746CF000-memory.dmp

    Filesize

    4KB

  • memory/2180-17-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2180-19-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2732-9-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2732-0-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2732-26-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2732-3-0x0000000003A40000-0x0000000003E40000-memory.dmp

    Filesize

    4.0MB

  • memory/2884-23-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2884-15-0x00000000039A0000-0x0000000003DA0000-memory.dmp

    Filesize

    4.0MB

  • memory/2884-10-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.