Overview

overview

10

Static

static

5

91dc7a5552...4b.eml

windows7-x64

5

Transferen...24.rar

windows7-x64

10

Transferen...24.exe

windows7-x64

10

Analysis

  • max time kernel
    315s
  • max time network
    316s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 17:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Transferencias Pendientes de facturacion - Maxines SRL - Dic24.rar

  • Size

    542KB

  • MD5

    9565deef5d3ec3decd7fcaab522e3630

  • SHA1

    cdd658b005bbb183f9d85bdecf9de8eb224383e8

  • SHA256

    f8664fec1486bceb5eb77dd7fce08bf86140e6fc7426fd9a42c06070997d26cd

  • SHA512

    79e3a5c5da4e1cfdd6601a6e8bcaead7f4b8d75e1d8920417a92c8a33c5af5f1f410e8eee78bf6bad1064d7bf6d70fc56f54dd7a5dd02949312e9cd7f52d8f99

  • SSDEEP

    12288:RU/aKDtOaTiMfSv4MXKWILT8Pjz3QAn6ySp01a8ndR5yTC8:RipxOawg+K70jz3Q+6Zpb8ndRcJ

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.solucionesmexico.mx
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    dGG^ZYIxX5!B

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 8 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.rar"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Local\Temp\7zO038F72E7\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO038F72E7\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO038F72E7\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 316
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2612
    • C:\Users\Admin\AppData\Local\Temp\7zO038AECE7\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO038AECE7\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO038AECE7\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2848
    • C:\Users\Admin\AppData\Local\Temp\7zO03839D18\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO03839D18\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO03839D18\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:556
    • C:\Users\Admin\AppData\Local\Temp\7zO03837F68\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO03837F68\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO03837F68\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2052
    • C:\Users\Admin\AppData\Local\Temp\7zO0389FD68\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO0389FD68\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO0389FD68\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1248
    • C:\Users\Admin\AppData\Local\Temp\7zO0387AA68\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO0387AA68\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2164
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO0387AA68\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1480
    • C:\Users\Admin\AppData\Local\Temp\7zO038D3968\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO038D3968\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1868
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO038D3968\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
    • C:\Users\Admin\AppData\Local\Temp\7zO03891548\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO03891548\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2432
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO03891548\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zO038F72E7\Transferencias Pendientes de facturacion - Maxines SRL - Dic24.exe
    Filesize

    1.0MB

    MD5

    e7a41d3a6376d834e88548ca8e2d5187

    SHA1

    0ac56ad806f92ad780ff4e64e8610b102944aabe

    SHA256

    72c492c3198f103c677df4abbbfcfc96a3f43126d9f8ef6426cd74e879405524

    SHA512

    20e18f647a2e227b4c44a564037f744de3b6d6b4c2a9ef0a983f74451e1e9f564334ee4ecdaefa981bcb1a1cf911e2260ea15a65c13140188ee2bc7bfb27757b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aut3A81.tmp
    Filesize

    156KB

    MD5

    35929c2e023e69c41978f8ee24f439a1

    SHA1

    f8d4d51a1e7c1d9550f206028fd2edf285921c82

    SHA256

    d4c727920a236390769eeac7f1a291fc74a5f3b55802f6aee9e61754b810dc7e

    SHA512

    412df921b41cd48383d70e61bb4f081899acc695736ea0a914a8e334b863a9ac6f69da096330a15b77071227db8ac413a6c542a1e6a7a4c42bb84c1c9563272f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aut3AB1.tmp
    Filesize

    9KB

    MD5

    c7162be5fb025cea6f6ada19b20afc8a

    SHA1

    d9c4b18082e5a85b16e7d7637c2a71a4899e08cf

    SHA256

    65a8ea20f9a287b355e95559c3585b5e06e384815bf935b932c265ad1b99d2a2

    SHA512

    1b1b70f5c179fb7740629417c9fbd968a46a8ea0d3d5a065211b6741bffb25f32ad68076ee343cd5b1fb976371a32aa9a41a39d108428e03eeb1c76ee0454ff6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\directiveness
    Filesize

    239KB

    MD5

    4edb2ed7704e0e7ff87029a3f084044d

    SHA1

    b1dd7f5b5073ec3efd1e54b74773b84175e915de

    SHA256

    a9ac99785a1538f4fab49ff4b35b05c9763fe511266b0df807e3cb2291feed46

    SHA512

    13098c82c7d9cfe24744ddbc1ef9edc0db460a9ab45c4dfb9ea990ab0cbb173bcfce861ce7084aa0bddfbefc9a22ad4f7776def5e3ef03e4296929c93295cbdd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\immortaliser
    Filesize

    28KB

    MD5

    b494f52285d8be76dbe108e46a0a050d

    SHA1

    de1bedae3192da36c5dbee35180ec70c3b5695f0

    SHA256

    838c8a44ce1f3accadfb6454d050d7459bc717dcba5280e0a6bbfa211da09361

    SHA512

    b57098e9aa2473c9c993a9192f668c6d47aac2b2f347691f9624d262ff97e2933c38b2fd383a86c8e66089e880e7fcb313a8e9ead93e0abb5d9411bc0e6dff97

    Download Submit

  • memory/1248-142-0x0000000000090000-0x00000000000D2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1248-153-0x0000000000090000-0x00000000000D2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1248-160-0x0000000000090000-0x00000000000D2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1248-157-0x0000000000090000-0x00000000000D2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2664-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2664-26-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2664-24-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download