Overview

overview

10

Static

static

3

Shipping D...ts.exe

windows7-x64

10

Shipping D...ts.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2024 02:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping Documents.exe

  • Size

    1016KB

  • MD5

    d6d14fc73f7e485b864a1dc1d8fde8f9

  • SHA1

    85a6480abc0f54dafff5e4bc2b996e7655f91b2b

  • SHA256

    fff67160a40353338a0eb9ee2acb6cd15de640023ef8a819d6595ef34493757b

  • SHA512

    00a35cbb44902a58349995ac90800a935df7d28e5e81f3fbd786375be29d7b8dbfb974849046590c0f98702c6f21dbca7a40b5130aca80d84a9c44ee0374061c

  • SSDEEP

    12288:m4OpVuMv6/eGOFqi0isX8G2WJHkQ50g/s2QkPICHYA1U+IauB:/g/0yqiwv0f2SCHYAC+I9

Score
10/10
agentteslaguloaderdiscoverydownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Loads dropped DLL 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
    "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsa9502.tmp
    Filesize

    7B

    MD5

    9569f680da3f887d04664e48682de964

    SHA1

    e436acf7a9432b525a4825560eb37a19ab983f3d

    SHA256

    ca101d01b0317ffc547b0030192d53167e00177324815d73411d961681466de7

    SHA512

    315340726e5fd412f79415d444db7748b3f77bde3de09b0dd5b3f7e7c1cdf4e0baa7990562666e878fbea48330edae83926620a93aaec0645b5b0f4dd219eeac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsf9260.tmp
    Filesize

    3B

    MD5

    4e27f2226785e9abbe046fc592668860

    SHA1

    28b18a7f383131df509f7191f946a32c5a2e410c

    SHA256

    01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d

    SHA512

    2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsf9260.tmp
    Filesize

    6B

    MD5

    50484c19f1afdaf3841a0d821ed393d2

    SHA1

    c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b

    SHA256

    6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c

    SHA512

    d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsf9260.tmp
    Filesize

    9B

    MD5

    2b3884fe02299c565e1c37ee7ef99293

    SHA1

    d8e2ef2a52083f6df210109fea53860ea227af9c

    SHA256

    ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858

    SHA512

    aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsf9260.tmp
    Filesize

    48B

    MD5

    040cc34b899dd5230d5113b5156ec5d4

    SHA1

    60a49c8b3e3f33b38c1780e8826e50d9672c5bcf

    SHA256

    454a97bbcd88c00fd8617e38fec2ebc855a608adbb751ad5ce4355f6bd171c32

    SHA512

    e6d441445f20c73e6e23203323dd5ff68ac2a74767fa69aac7c2c1b05e7bd981cf461b66c9d516dc53b4bbc32117c12e103187cfca891846b9d42ee2aa2c423d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsf9260.tmp
    Filesize

    52B

    MD5

    5d04a35d3950677049c7a0cf17e37125

    SHA1

    cafdd49a953864f83d387774b39b2657a253470f

    SHA256

    a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

    SHA512

    c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsk936A.tmp
    Filesize

    1B

    MD5

    8ce4b16b22b58894aa86c421e8759df3

    SHA1

    13fbd79c3d390e5d6585a21e11ff5ec1970cff0c

    SHA256

    8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a

    SHA512

    2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsk936A.tmp
    Filesize

    4B

    MD5

    cde63b34c142af0a38cbe83791c964f8

    SHA1

    ece2b194b486118b40ad12c1f0e9425dd0672424

    SHA256

    65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d

    SHA512

    0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsk936A.tmp
    Filesize

    7B

    MD5

    67cfa7364c4cf265b047d87ff2e673ae

    SHA1

    56e27889277981a9b63fcf5b218744a125bbc2fa

    SHA256

    639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713

    SHA512

    17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsk936A.tmp
    Filesize

    35B

    MD5

    93bbbb051c8432d87cd6fd8d2658fbe9

    SHA1

    20c538ddfc9384f02a31ffc88024d380029205a0

    SHA256

    731f4ca1fe34c63d8343396751a77a38c6ce61589288ca586a0176674339b6e4

    SHA512

    48e16ee483c07cc83483df1598898f5a83ede30ea2156868cb33ac5c7b7674ce646bd748dffff06f12e5d22f59fd3312640435ef01aa944b105bd172e0a2f312

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsk936A.tmp
    Filesize

    48B

    MD5

    b2558f206b1f7c961ac1e4ac4ea92d3d

    SHA1

    01deeeafb79f0748f0ac4d0bc30d806b9ce08006

    SHA256

    321df495d3b2b2f57dbd979b0e4142cac5f282cad332df1bd77ad036b9d3b614

    SHA512

    058c56fe51b178f8b1629bad37ca1c0508f9b6284fe49136242ecc6689a63eae5442ef19648d4b0e7dd4c8bb429df658622f1b26aed461fc30a750ee79e7294b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsk936A.tmp
    Filesize

    59B

    MD5

    bec48d9c076faa93fac9b0ccbfccc045

    SHA1

    2848cf5e3b0ab2bbc662c0b61a2cf3cc0525b3ff

    SHA256

    0cda8619d2f5a8eff99ae0fd847c74a6d7bcc59ec0e6e7c2d256a1f86cfc4730

    SHA512

    bc071a8d50c5df871f5482f21243350f41a77df370d14ebb4fe1b9b162e77d8db84f4dfe8c1be7032163487bc86f935d0bdb6b28e9e6c13e55cce23edae1adb0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsp924F.tmp\System.dll
    Filesize

    11KB

    MD5

    3f176d1ee13b0d7d6bd92e1c7a0b9bae

    SHA1

    fe582246792774c2c9dd15639ffa0aca90d6fd0b

    SHA256

    fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

    SHA512

    0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsq9427.tmp
    Filesize

    2B

    MD5

    25bc6654798eb508fa0b6343212a74fe

    SHA1

    15d5e1d3b948fd5986aaff7d9419b5e52c75fc93

    SHA256

    8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc

    SHA512

    5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsq9427.tmp
    Filesize

    5B

    MD5

    e2fecc970546c3418917879fe354826c

    SHA1

    63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

    SHA256

    ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

    SHA512

    3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsq9427.tmp
    Filesize

    8B

    MD5

    c3cb69218b85c3260387fb582cb518dd

    SHA1

    961c892ded09a4cbb5392097bb845ccba65902ad

    SHA256

    1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

    SHA512

    2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsq9427.tmp
    Filesize

    10B

    MD5

    9a53fc1d7126c5e7c81bb5c15b15537b

    SHA1

    e2d13e0fa37de4c98f30c728210d6afafbb2b000

    SHA256

    a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92

    SHA512

    b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsq9427.tmp
    Filesize

    36B

    MD5

    c6e2246352803737857d3ca61e83e8da

    SHA1

    d748bb2422683c4eb34775bdec2880b0235293d2

    SHA256

    69c29ac47b1030d10cf3cc7bbc3ecf7e97b58837e620e783b059744bbc1d91c7

    SHA512

    6985c9cfa51e01924d784ef861e9927ddbb9282f36f4b498571a83bdcf0c911273e39fbd7046a8306a76c5cfb6faaebc5667e56785459363db5899929ed29645

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsq9427.tmp
    Filesize

    45B

    MD5

    88a193c45bf5c167dfecad3f663cf097

    SHA1

    35d8930a1d1933d4aa2ef58abe0cc8f6e0ec547e

    SHA256

    e70a836a155cbe81dc9ffd7d45ee9635aaee4e581b9d49f326c91925d0cc9073

    SHA512

    f74e50728ec6d908c68ecc6fb8f0e6b8c6e6deca7fce13d5d24127c43b28e959c886d665d95267e1b0e71d59b6d63e580db9e3d4769af250362ae3e7d60bec42

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\barleybird.ini
    Filesize

    36B

    MD5

    aaec21587703506dff20363c6402f5c6

    SHA1

    d8995f3e0a6ac0ee4b0047e7301cd0f4e838ae9c

    SHA256

    10b7f20c1b7dd887624c1520bce6c531a5aa50cc9c8204bd277c2f7cccc39bc7

    SHA512

    d510c9ec8d02272d3112e89ae4a17d17442e5bd62d1cf3cc58526df2bb706f5e0e0be09cfdf775567564ff26a826570dc2d08e2a7439aed8924109f110386010

    Download Submit

  • memory/3888-852-0x0000000037B80000-0x0000000037BD0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3888-847-0x0000000001A80000-0x0000000004362000-memory.dmp

    Filesize

    40.9MB

    Download

  • memory/3888-848-0x0000000000820000-0x0000000001A74000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3888-849-0x0000000000820000-0x0000000000862000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3888-850-0x0000000036D20000-0x00000000372C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3888-851-0x0000000036C30000-0x0000000036C96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3888-853-0x0000000037BD0000-0x0000000037C62000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3888-854-0x0000000037CA0000-0x0000000037CAA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3888-856-0x0000000001A80000-0x0000000004362000-memory.dmp

    Filesize

    40.9MB

    Download

  • memory/4844-844-0x0000000077111000-0x0000000077231000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4844-845-0x0000000010004000-0x0000000010005000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4844-846-0x0000000004DA0000-0x0000000007682000-memory.dmp

    Filesize

    40.9MB

    Download

  • memory/4844-843-0x0000000004DA0000-0x0000000007682000-memory.dmp

    Filesize

    40.9MB

    Download