Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 03:59
Static task
static1
Behavioral task
behavioral1
Sample
Shipping documents.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Shipping documents.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
Shipping documents.exe
-
Size
1.4MB
-
MD5
0b67de290afdcb06218d5ab1a6c3c49b
-
SHA1
372ecac4cd7fe8de0f89aff4755683f8fed81a26
-
SHA256
669bfc59550b87a86c5e87d33da3e63be15f8712184a6aa176e0021b8c65df1e
-
SHA512
fc21a1dc1a1a29a5bdfc0d28f8d1a6be9204a26b7946b08d27e97b4e4c31c4be1caaa0bb9e2b199697ea0ec529ef7165c37ee7bb512c6accdae179f86fd66063
-
SSDEEP
24576:ktdCzxWfKe9UR1FCBmjwGJkAQy4X1N4QNbJP71SIzKgopvgeum5hD4nA:k2xWfKe9E1rEGZQTXXdP78d91Pumv4nA
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
Processes:
Shipping documents.exepid process 516 Shipping documents.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 api.ipify.org 32 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Shipping documents.exepid process 2876 Shipping documents.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Shipping documents.exeShipping documents.exepid process 516 Shipping documents.exe 2876 Shipping documents.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shipping documents.exedescription pid process target process PID 516 set thread context of 2876 516 Shipping documents.exe Shipping documents.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Shipping documents.exeShipping documents.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shipping documents.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shipping documents.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
Shipping documents.exeShipping documents.exepid process 516 Shipping documents.exe 2876 Shipping documents.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Shipping documents.exepid process 2876 Shipping documents.exe 2876 Shipping documents.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Shipping documents.exepid process 516 Shipping documents.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Shipping documents.exedescription pid process Token: SeDebugPrivilege 2876 Shipping documents.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Shipping documents.exedescription pid process target process PID 516 wrote to memory of 2876 516 Shipping documents.exe Shipping documents.exe PID 516 wrote to memory of 2876 516 Shipping documents.exe Shipping documents.exe PID 516 wrote to memory of 2876 516 Shipping documents.exe Shipping documents.exe PID 516 wrote to memory of 2876 516 Shipping documents.exe Shipping documents.exe PID 516 wrote to memory of 2876 516 Shipping documents.exe Shipping documents.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5fc3772787eb239ef4d0399680dcc4343
SHA1db2fa99ec967178cd8057a14a428a8439a961a73
SHA2569b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed
SHA51279e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89