Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 03:32

General

  • Target

    b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052.exe

  • Size

    999KB

  • MD5

    5c45c0877fb82d10594fde27ceef591d

  • SHA1

    ea68349b2af800d39680cf50da9e3284ec1d52a4

  • SHA256

    b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052

  • SHA512

    d6497d61d8bbf155223fe4554783b0e86ab326ffb20bbbac4b444e0d27f16715458bf055085732c4204cbccba84419de62bd75615602a291e26c1dbc74a6bda9

  • SSDEEP

    24576:+YB//x9siaesoieYuVffHku3WggclxxIJzsGOB:j9//FAUHffHkumggclxGZW

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.rusticpensiune.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    hr,d@KUwa5llI%*RNL^J]g%8I;!;_Ne#G1h~lE!*86DAAD6#iLm$x)r+e1z$p+_Q,4_(f!};B?vD!IG?NqT[zOHNr6_nww[S]V?MlcYSt_QO

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Agenttesla family
  • Guloader family
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052.exe
    "C:\Users\Admin\AppData\Local\Temp\b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052.exe
      "C:\Users\Admin\AppData\Local\Temp\b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsd763B.tmp\System.dll

    Filesize

    12KB

    MD5

    cff85c549d536f651d4fb8387f1976f2

    SHA1

    d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    SHA256

    8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    SHA512

    531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

  • memory/1388-22-0x0000000037240000-0x00000000372A6000-memory.dmp

    Filesize

    408KB

  • memory/1388-15-0x00000000016F0000-0x0000000004622000-memory.dmp

    Filesize

    47.2MB

  • memory/1388-19-0x0000000000490000-0x00000000016E4000-memory.dmp

    Filesize

    18.3MB

  • memory/1388-20-0x0000000000490000-0x00000000004D2000-memory.dmp

    Filesize

    264KB

  • memory/1388-21-0x00000000374F0000-0x0000000037A94000-memory.dmp

    Filesize

    5.6MB

  • memory/1388-24-0x0000000037DE0000-0x0000000037E30000-memory.dmp

    Filesize

    320KB

  • memory/1388-25-0x0000000037E30000-0x0000000037EC2000-memory.dmp

    Filesize

    584KB

  • memory/1388-26-0x0000000037F20000-0x0000000037F2A000-memory.dmp

    Filesize

    40KB

  • memory/1388-27-0x00000000016F0000-0x0000000004622000-memory.dmp

    Filesize

    47.2MB

  • memory/2524-12-0x00000000771E1000-0x0000000077301000-memory.dmp

    Filesize

    1.1MB

  • memory/2524-13-0x0000000073ED5000-0x0000000073ED6000-memory.dmp

    Filesize

    4KB

  • memory/2524-14-0x00000000032B0000-0x00000000061E2000-memory.dmp

    Filesize

    47.2MB

  • memory/2524-11-0x00000000032B0000-0x00000000061E2000-memory.dmp

    Filesize

    47.2MB