Overview

overview

10

Static

static

10

1/0178b79b...bd.exe

windows7-x64

10

1/0178b79b...bd.exe

windows10-2004-x64

10

1/0280cde4...60.exe

windows7-x64

10

1/0280cde4...60.exe

windows10-2004-x64

10

1/08b76206...65.exe

windows7-x64

10

1/08b76206...65.exe

windows10-2004-x64

10

1/0e4fc438...91.exe

windows7-x64

3

1/0e4fc438...91.exe

windows10-2004-x64

10

1/0fb86a8b...05.exe

windows7-x64

10

1/0fb86a8b...05.exe

windows10-2004-x64

10

1/25898c73...8f.exe

windows7-x64

10

1/25898c73...8f.exe

windows10-2004-x64

3

1/2c2e9491...3c.exe

windows7-x64

3

1/2c2e9491...3c.exe

windows10-2004-x64

10

1/2ef0f582...2e.exe

windows7-x64

3

1/2ef0f582...2e.exe

windows10-2004-x64

10

1/39884fc0...82.exe

windows7-x64

10

1/39884fc0...82.exe

windows10-2004-x64

10

1/3a72ecec...8a.exe

windows7-x64

10

1/3a72ecec...8a.exe

windows10-2004-x64

10

1/3bfcb4f7...71.exe

windows7-x64

10

1/3bfcb4f7...71.exe

windows10-2004-x64

10

1/4103411f...f5.exe

windows7-x64

10

1/4103411f...f5.exe

windows10-2004-x64

10

1/4e0fdb84...95.exe

windows7-x64

3

1/4e0fdb84...95.exe

windows10-2004-x64

7

1/5297372f...33.exe

windows7-x64

5

1/5297372f...33.exe

windows10-2004-x64

5

1/68292f38...e4.exe

windows7-x64

3

1/68292f38...e4.exe

windows10-2004-x64

10

1/6da4696b...e5.exe

windows7-x64

7

1/6da4696b...e5.exe

windows10-2004-x64

7

Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

240809-1t1vfs1cpm 10

06-08-2024 13:01

240806-p9f97szdlm 10

06-08-2024 12:52

240806-p3672stdkg 10

06-08-2024 12:29

240806-ppa8fsygqr 10

06-08-2024 12:26

240806-pmc92ashlh 10

Analysis

  • max time kernel
    111s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 15:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe

  • Size

    731KB

  • MD5

    bd1050f3642d22733a30cd101f591713

  • SHA1

    5a6553bea21e2df2307ed5c843072bcb023566be

  • SHA256

    3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671

  • SHA512

    6cc19b1df105d9f4e76c39f7be79c9a5a42fdb338a8b56b1d16e1343221e36552344fc30aa8c2bf4d48781694a412dcddb5858a36c643706bc778b0b8cc59883

  • SSDEEP

    12288:tmoDWx2PQfRcudR5C3T+Lc7vaVs95ucinaj13Tp8K2:tHawMR9/gDR5yrQx2K2

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.libreriagandhi.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    x6p2^m#1#~+O

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1\3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
    "C:\Users\Admin\AppData\Local\Temp\1\3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1\3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2204
    • C:\Users\Admin\AppData\Local\Temp\1\3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
      "C:\Users\Admin\AppData\Local\Temp\1\3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe"
      2⤵
        PID:2400
      • C:\Users\Admin\AppData\Local\Temp\1\3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
        "C:\Users\Admin\AppData\Local\Temp\1\3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe"
        2⤵
          PID:2744
        • C:\Users\Admin\AppData\Local\Temp\1\3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
          "C:\Users\Admin\AppData\Local\Temp\1\3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe"
          2⤵
            PID:2840
          • C:\Users\Admin\AppData\Local\Temp\1\3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
            "C:\Users\Admin\AppData\Local\Temp\1\3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1104
        • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
          "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
          1⤵
          • System Location Discovery: System Language Discovery
          • Enumerates system info in registry
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:2660
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe"
          1⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7039758,0x7fef7039768,0x7fef7039778
            2⤵
              PID:2044
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1240,i,5179701535682770358,1427287103829438863,131072 /prefetch:2
              2⤵
                PID:2236
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1548 --field-trial-handle=1240,i,5179701535682770358,1427287103829438863,131072 /prefetch:8
                2⤵
                  PID:2220
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1652 --field-trial-handle=1240,i,5179701535682770358,1427287103829438863,131072 /prefetch:8
                  2⤵
                    PID:2296
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1240,i,5179701535682770358,1427287103829438863,131072 /prefetch:1
                    2⤵
                      PID:1776
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1240,i,5179701535682770358,1427287103829438863,131072 /prefetch:1
                      2⤵
                        PID:1716
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1504 --field-trial-handle=1240,i,5179701535682770358,1427287103829438863,131072 /prefetch:2
                        2⤵
                          PID:2392
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3220 --field-trial-handle=1240,i,5179701535682770358,1427287103829438863,131072 /prefetch:1
                          2⤵
                            PID:1796
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1240,i,5179701535682770358,1427287103829438863,131072 /prefetch:8
                            2⤵
                              PID:1708
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3752 --field-trial-handle=1240,i,5179701535682770358,1427287103829438863,131072 /prefetch:1
                              2⤵
                                PID:2800
                            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                              1⤵
                                PID:1820

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001
                                Filesize

                                215KB

                                MD5

                                2be38925751dc3580e84c3af3a87f98d

                                SHA1

                                8a390d24e6588bef5da1d3db713784c11ca58921

                                SHA256

                                1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

                                SHA512

                                1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
                                Filesize

                                16B

                                MD5

                                aefd77f47fb84fae5ea194496b44c67a

                                SHA1

                                dcfbb6a5b8d05662c4858664f81693bb7f803b82

                                SHA256

                                4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                                SHA512

                                b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                                Filesize

                                264KB

                                MD5

                                f50f89a0a91564d0b8a211f8921aa7de

                                SHA1

                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                SHA256

                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                SHA512

                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                9e61a2b511dd665dfe0c7107d14aaf9f

                                SHA1

                                65441ecee0becde810fbc710528831f707306aeb

                                SHA256

                                098068db3cd66767d27a78123aecb51f75b6ab85eac7ea3ae75e172a7c423001

                                SHA512

                                81f2cb7c59ea54d8ba67db374ea87c1f13f63cb45ee454b08f06308cebf9b1ffc8bfd85ec5effa7e66c6d1de2e4a9576815ce48f6ca54bdd65370480af6b3cef

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                a7524052d31e0a95ca51c2212b1885c3

                                SHA1

                                ab77259f6449dc5632905bdf25c4ca27cdf55f68

                                SHA256

                                1b5fb29fbad42f7ea03e12aaf4abbce8d3cf129c9ddc85fae1a4cc6895ccbc83

                                SHA512

                                bde8da2db0e86fc99264b7e28e35ab00a41c4dc1bb00c53d5c8b5496756f6a44c70687b2df75b0d9851978d046a9fb1420c5396319b71393f8b690f0a55686c5

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
                                Filesize

                                16B

                                MD5

                                18e723571b00fb1694a3bad6c78e4054

                                SHA1

                                afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                SHA256

                                8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                SHA512

                                43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                Download Submit

                              • memory/1104-12-0x0000000000400000-0x0000000000442000-memory.dmp

                                Filesize

                                264KB

                                Download

                              • memory/1104-8-0x0000000000400000-0x0000000000442000-memory.dmp

                                Filesize

                                264KB

                                Download

                              • memory/1104-18-0x0000000000400000-0x0000000000442000-memory.dmp

                                Filesize

                                264KB

                                Download

                              • memory/1104-10-0x0000000000400000-0x0000000000442000-memory.dmp

                                Filesize

                                264KB

                                Download

                              • memory/1104-16-0x0000000000400000-0x0000000000442000-memory.dmp

                                Filesize

                                264KB

                                Download

                              • memory/1104-21-0x0000000000400000-0x0000000000442000-memory.dmp

                                Filesize

                                264KB

                                Download

                              • memory/1104-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1104-13-0x0000000000400000-0x0000000000442000-memory.dmp

                                Filesize

                                264KB

                                Download

                              • memory/2336-6-0x0000000000580000-0x000000000058E000-memory.dmp

                                Filesize

                                56KB

                                Download

                              • memory/2336-24-0x0000000074CA0000-0x000000007538E000-memory.dmp

                                Filesize

                                6.9MB

                                Download

                              • memory/2336-7-0x0000000004F20000-0x0000000004FA4000-memory.dmp

                                Filesize

                                528KB

                                Download

                              • memory/2336-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2336-5-0x0000000074CA0000-0x000000007538E000-memory.dmp

                                Filesize

                                6.9MB

                                Download

                              • memory/2336-4-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2336-3-0x0000000000400000-0x000000000041A000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/2336-2-0x0000000074CA0000-0x000000007538E000-memory.dmp

                                Filesize

                                6.9MB

                                Download

                              • memory/2336-1-0x0000000000230000-0x00000000002EC000-memory.dmp

                                Filesize

                                752KB

                                Download

                              • memory/2660-25-0x000000005FFF0000-0x0000000060000000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/2660-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

                                Filesize

                                64KB

                                Download