Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 09:40
Static task
static1
Behavioral task
behavioral1
Sample
whatsappjpg.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
whatsappjpg.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
whatsappjpg.exe
-
Size
724KB
-
MD5
8a3f9583866e402739f7da1541d6038d
-
SHA1
928530c1cee879a0c6c284f71a56039004ca4fa9
-
SHA256
fb89c14504a9c08ddc006305975b11a20f0595e1f2ad7bd9475ba5c245eda0f6
-
SHA512
43040b663ba09c3c9b284c045c4a16250b95117b0e45c17a2d164d2f66089b875850f81adfd122e7e7d73a42d18d6ea482e9e6473a04dea39b85f2230bf3de74
-
SSDEEP
12288:8tvD9kg2V9Lki65FEyz2szE/oDnv7nUhyl6sgoLpp2NjamHD3v1:1XlP60yz2sMenbUhyo80j1D1
Malware Config
Extracted
Protocol: ftp- Host:
mail.hearing-vision.com - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!
Extracted
agenttesla
Protocol: ftp- Host:
ftp://mail.hearing-vision.com - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Loads dropped DLL 1 IoCs
pid Process 4916 whatsappjpg.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 43 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1652 whatsappjpg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4916 whatsappjpg.exe 1652 whatsappjpg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4916 set thread context of 1652 4916 whatsappjpg.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language whatsappjpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language whatsappjpg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1652 whatsappjpg.exe 1652 whatsappjpg.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4916 whatsappjpg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1652 whatsappjpg.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4916 wrote to memory of 1652 4916 whatsappjpg.exe 97 PID 4916 wrote to memory of 1652 4916 whatsappjpg.exe 97 PID 4916 wrote to memory of 1652 4916 whatsappjpg.exe 97 PID 4916 wrote to memory of 1652 4916 whatsappjpg.exe 97 PID 4916 wrote to memory of 1652 4916 whatsappjpg.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\whatsappjpg.exe"C:\Users\Admin\AppData\Local\Temp\whatsappjpg.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\whatsappjpg.exe"C:\Users\Admin\AppData\Local\Temp\whatsappjpg.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD57399323923e3946fe9140132ac388132
SHA1728257d06c452449b1241769b459f091aabcffc5
SHA2565a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3
SHA512d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1