Overview

overview

10

Static

static

1

Dhl shipme...00.exe

windows7-x64

6

Dhl shipme...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 08:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dhl shipment documents 0002949400405000599500000.exe

  • Size

    896KB

  • MD5

    22a542bc1325916eb1816ebca91fb95b

  • SHA1

    88320ab57b6542208dc82b87ba7372c2b43f6aac

  • SHA256

    36188bc6b8b6ff6066410e82279f79a7fe8ce638fa0e3b684ff008276689f867

  • SHA512

    f7ec8166ef7202cf9f0917c2c5f7215a7ef942250ccba67a4a5ecf16ffbe5f6370ba871baabb4cfb2bcaa403bb83fe5fc41a813e1f5400c8551796068407eec3

  • SSDEEP

    24576:cQ2HggprreJ47AsXQLY21226O31A3Rh+1d:aHgfm3XQL+I3q3Rh+1d

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dhl shipment documents 0002949400405000599500000.exe
    "C:\Users\Admin\AppData\Local\Temp\Dhl shipment documents 0002949400405000599500000.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle minimized "$Quarterdecks=Get-Content -Raw 'C:\Users\Admin\AppData\Local\Temp\Falsetstemmen\nonseparating\adjurors\Hvirvelbevgelsernes.Ikk';$Endothecal=$Quarterdecks.SubString(2893,3);.$Endothecal($Quarterdecks)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:1528
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1528
          4⤵
          • Program crash
          PID:4640
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1528 -ip 1528
    1⤵
      PID:1960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Falsetstemmen\nonseparating\adjurors\Hvirvelbevgelsernes.Ikk
      Filesize

      73KB

      MD5

      af165b58e2cceb026d0baf83b9595cd0

      SHA1

      6ecce4d663557932f43c6073adf571765513ddf7

      SHA256

      363ac4b321b7c972b3d56c7f240e0c568a0403e59584c994572921c2800d56c4

      SHA512

      8edd36273c0f1ee785607ae6e5881d86778b1f5eeaaa49167186055f5eb93a603aa441a3ace01048db294e793c702f182a4865163311972afb46505e9c4aebb0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Falsetstemmen\nonseparating\adjurors\Principalens.Gle
      Filesize

      325KB

      MD5

      51d0d3c20e7ead789be0befd1ac1a7f0

      SHA1

      44ef62be60f8ea6b36b06954f7ad16fc60fc7883

      SHA256

      239c12c044b0a23d94ccb374117b8518f07e99645e3644f06cd34bc0cd910141

      SHA512

      a7e881e82b8adf99feaf600fc695a201365434c3858a4e73c44f3193e37920a262ce665ffa21396e18e99f83dcdf6fc4c818e9d694d57e3f6155c453851648ce

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_itves5ny.1jp.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\dowdies.lnk
      Filesize

      906B

      MD5

      1e818ff72d4125305b6497263f7adb88

      SHA1

      664b11e44c7201edc030b6bc5052440bf36dcd58

      SHA256

      677a676ff44ea03e8f95c872f8a33b27d7b5b40ce659de91d6c765836992f5dd

      SHA512

      6515ef0635b87769349bef21533cc7169edf9cc184c80638e836f2b1b35fecb95e985e19848d6f792062d172f3da92d1b87cb76c0053fd220f2455c1da55f72b

      Download Submit

    • memory/1528-217-0x0000000000E00000-0x0000000002054000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3712-193-0x0000000007760000-0x0000000007803000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3712-196-0x00000000079E0000-0x00000000079F1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3712-160-0x0000000005BD0000-0x0000000005C36000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3712-161-0x0000000005C40000-0x0000000005CA6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3712-158-0x0000000073730000-0x0000000073EE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3712-164-0x0000000005CB0000-0x0000000006004000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3712-172-0x0000000006310000-0x000000000632E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3712-173-0x0000000006340000-0x000000000638C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3712-174-0x00000000073B0000-0x0000000007446000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3712-175-0x0000000006800000-0x000000000681A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3712-176-0x0000000006880000-0x00000000068A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3712-177-0x0000000007A00000-0x0000000007FA4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3712-157-0x0000000073730000-0x0000000073EE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3712-179-0x0000000008630000-0x0000000008CAA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3712-180-0x0000000007510000-0x0000000007542000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3712-181-0x0000000073730000-0x0000000073EE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3712-182-0x000000006FBB0000-0x000000006FBFC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3712-156-0x0000000005530000-0x0000000005B58000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3712-192-0x00000000074F0000-0x000000000750E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3712-194-0x0000000073730000-0x0000000073EE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3712-195-0x0000000007880000-0x000000000788A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3712-159-0x00000000052C0000-0x00000000052E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3712-197-0x0000000007FE0000-0x0000000007FEE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3712-198-0x0000000007FF0000-0x0000000008004000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3712-199-0x0000000008030000-0x000000000804A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3712-200-0x0000000008020000-0x0000000008028000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3712-201-0x0000000008030000-0x000000000805A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/3712-202-0x0000000008060000-0x0000000008084000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3712-203-0x000000007373E000-0x000000007373F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3712-204-0x0000000073730000-0x0000000073EE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3712-205-0x0000000073730000-0x0000000073EE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3712-206-0x0000000073730000-0x0000000073EE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3712-207-0x0000000073730000-0x0000000073EE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3712-155-0x0000000002CA0000-0x0000000002CD6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3712-209-0x0000000073730000-0x0000000073EE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3712-210-0x0000000073730000-0x0000000073EE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3712-211-0x0000000073730000-0x0000000073EE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3712-212-0x0000000008CB0000-0x000000000EA66000-memory.dmp

      Filesize

      93.7MB

      Download

    • memory/3712-213-0x0000000073730000-0x0000000073EE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3712-215-0x0000000073730000-0x0000000073EE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3712-216-0x0000000073730000-0x0000000073EE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3712-154-0x000000007373E000-0x000000007373F000-memory.dmp

      Filesize

      4KB

      Download