Overview

overview

10

Static

static

3

SHIPPING D...TS.exe

windows7-x64

10

SHIPPING D...TS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2025 01:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SHIPPING DOCUMENTS.exe

  • Size

    718KB

  • MD5

    189df4d886ce158af73e5b17e71a5855

  • SHA1

    21457dfa6c0bd2fc3c261fe37d86eb4e6ea9d61a

  • SHA256

    47a6d649b918a7a00365351a872563afacbb744a7c0e3f2daa2edffd91bd3a5a

  • SHA512

    1432ac6b5b3e0f0432e96b5e89cb90246d0395c0fef7eb2a0cea6c85f3b56c136f7d1563e781666330653fb3ddb9277744ef7342904437d5445daa5bb5c3d17f

  • SSDEEP

    12288:CfxYRxA4Y5lyA/BxSPCmkBbyT9x/GjvEN5229d5pX28sEd1tEmuMDadW2zywof++:3ReUSjC522v5p1N1mmuMDadvzyBz

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
    "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    • Suspicious use of WriteProcessMemory
    PID:3344
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1932-11-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1932-18-0x0000000074660000-0x0000000074E10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1932-17-0x0000000005D10000-0x0000000005D60000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1932-15-0x0000000004E30000-0x0000000004E96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1932-16-0x0000000074660000-0x0000000074E10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1932-13-0x0000000074660000-0x0000000074E10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3344-8-0x0000000074660000-0x0000000074E10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3344-7-0x000000007466E000-0x000000007466F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-0-0x000000007466E000-0x000000007466F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-9-0x00000000065A0000-0x0000000006626000-memory.dmp

    Filesize

    536KB

    Download

  • memory/3344-10-0x000000000A570000-0x000000000A60C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3344-6-0x00000000055C0000-0x00000000055DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3344-14-0x0000000074660000-0x0000000074E10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3344-5-0x0000000074660000-0x0000000074E10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3344-4-0x0000000005090000-0x000000000509A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3344-3-0x00000000050E0000-0x0000000005172000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3344-2-0x00000000055F0000-0x0000000005B94000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3344-1-0x0000000000620000-0x00000000006DA000-memory.dmp

    Filesize

    744KB

    Download