Analysis
-
max time kernel
147s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-10-2024 02:48
General
-
Target
fff67160a40353338a0eb9ee2acb6cd15de640023ef8a819d6595ef34493757b.exe
-
Size
1016KB
-
MD5
d6d14fc73f7e485b864a1dc1d8fde8f9
-
SHA1
85a6480abc0f54dafff5e4bc2b996e7655f91b2b
-
SHA256
fff67160a40353338a0eb9ee2acb6cd15de640023ef8a819d6595ef34493757b
-
SHA512
00a35cbb44902a58349995ac90800a935df7d28e5e81f3fbd786375be29d7b8dbfb974849046590c0f98702c6f21dbca7a40b5130aca80d84a9c44ee0374061c
-
SSDEEP
12288:m4OpVuMv6/eGOFqi0isX8G2WJHkQ50g/s2QkPICHYA1U+IauB:/g/0yqiwv0f2SCHYAC+I9
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 2 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fff67160a40353338a0eb9ee2acb6cd15de640023ef8a819d6595ef34493757b.exe"C:\Users\Admin\AppData\Local\Temp\fff67160a40353338a0eb9ee2acb6cd15de640023ef8a819d6595ef34493757b.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fff67160a40353338a0eb9ee2acb6cd15de640023ef8a819d6595ef34493757b.exe"C:\Users\Admin\AppData\Local\Temp\fff67160a40353338a0eb9ee2acb6cd15de640023ef8a819d6595ef34493757b.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31B
MD5bebdffa37358b59c6d03d4e3947c6f6c
SHA1bb3d6a0095f4d6d2dac15bb64ffd4775952bf547
SHA2563e3573216f1f8de74e0c00566b297b31f2c5b0e1015114d370fb84cfcdbe97d3
SHA512651f98e9cf38c74647806c574f807c6a84d3b60c25aa701c00ad0cac409ff99fa490169ee033ba4ab1aa97dd8010c887d21d1dd1219bbfe5ae81ab39991efdbd
-
Filesize
52B
MD55d04a35d3950677049c7a0cf17e37125
SHA1cafdd49a953864f83d387774b39b2657a253470f
SHA256a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b
-
Filesize
32B
MD5e2dbe92e63c19b97b34cb37f30c67f04
SHA19751e7cc7701b5f8cf558ab97714e8aab495d6ff
SHA256f5e747955048b7b2d530c6319ddd7592ff1cd539a20cd5c5ab6afacd46e8b410
SHA512b2987da9916fbefaf33ec2a12b03d3159d85c53b3578e94951cb2b4f5824e0397c17f17f4ebc73d968b985e8556f2a82e8278bec20876339e303c4994136e39f
-
Filesize
5B
MD5e2fecc970546c3418917879fe354826c
SHA163f1c1dd01b87704a6b6c99fd9f141e0a3064f16
SHA256ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0
SHA5123c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a
-
Filesize
1B
MD58ce4b16b22b58894aa86c421e8759df3
SHA113fbd79c3d390e5d6585a21e11ff5ec1970cff0c
SHA2568254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a
SHA5122af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25
-
Filesize
2B
MD525bc6654798eb508fa0b6343212a74fe
SHA115d5e1d3b948fd5986aaff7d9419b5e52c75fc93
SHA2568e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc
SHA5125868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898
-
Filesize
3B
MD54e27f2226785e9abbe046fc592668860
SHA128b18a7f383131df509f7191f946a32c5a2e410c
SHA25601a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d
SHA5122a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb
-
Filesize
4B
MD5cde63b34c142af0a38cbe83791c964f8
SHA1ece2b194b486118b40ad12c1f0e9425dd0672424
SHA25665e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d
SHA5120559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c
-
Filesize
58B
MD5e252516da96738f65152fe68908c3c1f
SHA19cb852372b0f977b4060196173cb25945599df81
SHA256c73bedb441b68f42bf2c9619d1ebfe999b0d93f605a2d3292cf6b85a792411cf
SHA512aaf2f81d8e51a4b93a3ae88b05c49eb1f7a84ddb7fb9534f6fc54d536589eb0f49c46f3c6dbe9319e0cca7ba424a46c186eb2ded7dd7fa66160c99512459032b
-
Filesize
19B
MD59b81480d3420dfa314a7ca8c685e3c0f
SHA11bd4068ee9af7a94d6c59c563f191783b158c65b
SHA256ef5767399ab18e9604a1ce029f5ef4228a2421f599ab580bfff4e2e4fb6b409d
SHA5122b5ecd729d0a9b22e1744a17051745d929c686b14e3815787769d2d9577ccdf12686201a48c64103fa11d8525e70074300ea95d5e23b09bbd5df9e6752bb4731
-
Filesize
36B
MD5aaec21587703506dff20363c6402f5c6
SHA1d8995f3e0a6ac0ee4b0047e7301cd0f4e838ae9c
SHA25610b7f20c1b7dd887624c1520bce6c531a5aa50cc9c8204bd277c2f7cccc39bc7
SHA512d510c9ec8d02272d3112e89ae4a17d17442e5bd62d1cf3cc58526df2bb706f5e0e0be09cfdf775567564ff26a826570dc2d08e2a7439aed8924109f110386010
-
Filesize
11KB
MD53f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA5120a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6
-
Filesize
40.9MB
-
Filesize
1.7MB
-
Filesize
1.0MB
-
Filesize
40.9MB
-
Filesize
1.7MB
-
Filesize
16.4MB
-
Filesize
16.4MB
-
Filesize
264KB