Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17/10/2024, 01:06

General

  • Target

    2534507243f92dc2b0a2bc4b0787d63461a4eaf295b68f1f41a69163120d9fb8.exe

  • Size

    815KB

  • MD5

    1262b381609193bd0514fed812173719

  • SHA1

    c8340cfae752bca4fa76b9d83e4f29c061b90e8b

  • SHA256

    2534507243f92dc2b0a2bc4b0787d63461a4eaf295b68f1f41a69163120d9fb8

  • SHA512

    ad53164041228d24b529eeaeafa1555a958dd2647ec4136794c539939a2043595c27761cd96115c1ce49eb51bdba3abb8a9a5d7fdb5f96cb7cd7cb9c975a91c2

  • SSDEEP

    12288:sS2s3yuZG8+De1kIse8LRWjrZCollIoNE8kgZu3KvK541rt:Us3yuZGVteKRyjl6ikyCKvy41rt

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.aminhacorretora.com.br
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    _yA=,M5*J?KH

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.aminhacorretora.com.br
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    _yA=,M5*J?KH

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2534507243f92dc2b0a2bc4b0787d63461a4eaf295b68f1f41a69163120d9fb8.exe
    "C:\Users\Admin\AppData\Local\Temp\2534507243f92dc2b0a2bc4b0787d63461a4eaf295b68f1f41a69163120d9fb8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
        PID:2776
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
          PID:2824
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          2⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2876

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2372-36-0x0000000073F50000-0x000000007463E000-memory.dmp

              Filesize

              6.9MB

            • memory/2372-1-0x0000000000800000-0x00000000008D2000-memory.dmp

              Filesize

              840KB

            • memory/2372-2-0x00000000044B0000-0x000000000454E000-memory.dmp

              Filesize

              632KB

            • memory/2372-3-0x0000000073F50000-0x000000007463E000-memory.dmp

              Filesize

              6.9MB

            • memory/2372-4-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

              Filesize

              4KB

            • memory/2372-5-0x0000000073F50000-0x000000007463E000-memory.dmp

              Filesize

              6.9MB

            • memory/2372-6-0x0000000000460000-0x000000000047A000-memory.dmp

              Filesize

              104KB

            • memory/2372-7-0x0000000000480000-0x0000000000486000-memory.dmp

              Filesize

              24KB

            • memory/2372-8-0x0000000073F50000-0x000000007463E000-memory.dmp

              Filesize

              6.9MB

            • memory/2372-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

              Filesize

              4KB

            • memory/2372-30-0x0000000073F50000-0x000000007463E000-memory.dmp

              Filesize

              6.9MB

            • memory/2776-9-0x0000000000090000-0x00000000000C0000-memory.dmp

              Filesize

              192KB

            • memory/2776-11-0x0000000000090000-0x00000000000C0000-memory.dmp

              Filesize

              192KB

            • memory/2776-13-0x0000000000090000-0x00000000000C0000-memory.dmp

              Filesize

              192KB

            • memory/2776-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2776-12-0x0000000000090000-0x00000000000C0000-memory.dmp

              Filesize

              192KB

            • memory/2824-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2876-37-0x0000000073F50000-0x000000007463E000-memory.dmp

              Filesize

              6.9MB

            • memory/2876-31-0x0000000000400000-0x0000000000430000-memory.dmp

              Filesize

              192KB

            • memory/2876-35-0x0000000000400000-0x0000000000430000-memory.dmp

              Filesize

              192KB

            • memory/2876-33-0x0000000000400000-0x0000000000430000-memory.dmp

              Filesize

              192KB

            • memory/2876-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2876-38-0x0000000073F50000-0x000000007463E000-memory.dmp

              Filesize

              6.9MB

            • memory/2876-45-0x0000000073F50000-0x000000007463E000-memory.dmp

              Filesize

              6.9MB

            • memory/2876-46-0x0000000073F50000-0x000000007463E000-memory.dmp

              Filesize

              6.9MB