Analysis
-
max time kernel
147s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 10:38
Static task
static1
Behavioral task
behavioral1
Sample
Shipping documents 000293994900.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Shipping documents 000293994900.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
Shipping documents 000293994900.exe
-
Size
722KB
-
MD5
c8d26f7208eaaa31a839ec190489c9a1
-
SHA1
c9bc4695a4f4afdcc89d216b7ad8d0ce4d0bc7e3
-
SHA256
f96b6c703fe5b13fd985d91da265c58d3d5b2f81397ebe27527e59c208819d2e
-
SHA512
30983bc1f3b8fc96023d5b2773ab41ee1ced9718334d1cc50a24143a4d6ed04dfdc9400c9f401df20bc7dd05919a5936b3e7fb97c7504f804cd06210eee7f168
-
SSDEEP
12288:8tvD9kg2V9Lki65FEdYjpTEl9msWkXfflWGwzc7MnWAdV/sPsrVawwDXZsBwRsOd:1XlP60dM4b1nlMGMnWAdV9wtsBShx
Malware Config
Extracted
Protocol: ftp- Host:
ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Loads dropped DLL 1 IoCs
pid Process 4908 Shipping documents 000293994900.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 api.ipify.org 28 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 944 Shipping documents 000293994900.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4908 Shipping documents 000293994900.exe 944 Shipping documents 000293994900.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4908 set thread context of 944 4908 Shipping documents 000293994900.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shipping documents 000293994900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shipping documents 000293994900.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4908 Shipping documents 000293994900.exe 944 Shipping documents 000293994900.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 944 Shipping documents 000293994900.exe 944 Shipping documents 000293994900.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4908 Shipping documents 000293994900.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 944 Shipping documents 000293994900.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4908 wrote to memory of 944 4908 Shipping documents 000293994900.exe 96 PID 4908 wrote to memory of 944 4908 Shipping documents 000293994900.exe 96 PID 4908 wrote to memory of 944 4908 Shipping documents 000293994900.exe 96 PID 4908 wrote to memory of 944 4908 Shipping documents 000293994900.exe 96 PID 4908 wrote to memory of 944 4908 Shipping documents 000293994900.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe"C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe"C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD57399323923e3946fe9140132ac388132
SHA1728257d06c452449b1241769b459f091aabcffc5
SHA2565a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3
SHA512d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1