Overview

overview

10

Static

static

5

OC 129075-...P).zip

windows7-x64

1

c5c342a67e...5d.eml

windows7-x64

5

OC 129075-JG-3229.rar

windows7-x64

10

OC 129075-JG-3229.exe

windows7-x64

10

Resubmissions

28/03/2025, 20:04

250328-ytek4ssmw3 10

Analysis

  • max time kernel
    87s
  • max time network
    89s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2025, 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OC 129075-JG-3229.rar

  • Size

    550KB

  • MD5

    92ca133e27d245b891b865b36a8eaacc

  • SHA1

    b945e869e422f972cf23370fec8c9f141a174c7a

  • SHA256

    36fe9874c1c7e5c083ca7780dfe57018f5057ca1989472132a2d877409cb1f78

  • SHA512

    494e7a820fc034a61f15fa7f77035f95a56b9b33fcb17af97b9b2bbddffad181a9492fcaf318284b8912d1f1f1c07be31611ee60864076eebcfadea3696944be

  • SSDEEP

    12288:llOdZ9ZUIZ7vBN/2aS5LuYBlcCUf03KQMIKml77EG:l4dpBOhP0fJ7ml77

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.stingatoareincendii.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    3.*RYhlG)lkA

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Executes dropped EXE 7 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 23 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\OC 129075-JG-3229.rar"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\7zO0D7A2137\OC 129075-JG-3229.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO0D7A2137\OC 129075-JG-3229.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO0D7A2137\OC 129075-JG-3229.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
    • C:\Users\Admin\AppData\Local\Temp\7zO0D7AB817\OC 129075-JG-3229.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO0D7AB817\OC 129075-JG-3229.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO0D7AB817\OC 129075-JG-3229.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2908
    • C:\Users\Admin\AppData\Local\Temp\7zO0D7EDC67\OC 129075-JG-3229.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO0D7EDC67\OC 129075-JG-3229.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO0D7EDC67\OC 129075-JG-3229.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
    • C:\Users\Admin\AppData\Local\Temp\7zO0D7B8B67\OC 129075-JG-3229.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO0D7B8B67\OC 129075-JG-3229.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO0D7B8B67\OC 129075-JG-3229.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2248
    • C:\Users\Admin\AppData\Local\Temp\7zO0D78BA28\OC 129075-JG-3229.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO0D78BA28\OC 129075-JG-3229.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO0D78BA28\OC 129075-JG-3229.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:696
    • C:\Users\Admin\AppData\Local\Temp\7zO0D764038\OC 129075-JG-3229.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO0D764038\OC 129075-JG-3229.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1956
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO0D764038\OC 129075-JG-3229.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:540
    • C:\Users\Admin\AppData\Local\Temp\7zO0D7CE338\OC 129075-JG-3229.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO0D7CE338\OC 129075-JG-3229.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1540
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO0D7CE338\OC 129075-JG-3229.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zO0D7A2137\OC 129075-JG-3229.exe
    Filesize

    1.0MB

    MD5

    ca05eaa8df0531cb2f76d5a2baa5aaea

    SHA1

    688adb6f0a0ab7f13d47d0c16326221e20fa7b10

    SHA256

    66d7d602350b27bd25ca73436b6b7598c65e5022cc8062eb5c87dc604ab97952

    SHA512

    3e59f0eefd60ac5783ab291e89484532f5bf6ab105f83a4f34099815b26375097cf984050f9b00e2c90631cb07b600aa18cba3b93f24b1f4e2d6447a1e7cfdf0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aut4A49.tmp
    Filesize

    150KB

    MD5

    16011a9ae2a7fdc9e7e1612b4efe31ae

    SHA1

    d1f62aee7e0396d2e79035a0f8e7dded376636bb

    SHA256

    e55515aab193ad5b319ded7db5213b44bd4a27feeaefc4f5d9db87f13d71bb48

    SHA512

    3def9623ce8a4bb99f522d4e2da4c0b7e4328edc874f509d0d4982845a56cc2310f10d8f85c1c30697454a575d759ffb5d9d4b83d42358f9a6983eb0e4eecd46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nonsubmerged
    Filesize

    238KB

    MD5

    e858a08a8daa5d4f830d579cc04731ce

    SHA1

    77f557077dc8bcafd75574da1a1e47d8bc5c9f16

    SHA256

    2313d87b359da4dedaf95fa676d92ff55b431fd764f8c409aa5e04a4078eef5d

    SHA512

    f671a3d380bcce1c5c0058e4b5cc13cb6fe607006e5ca6291a152cf67b04d945ea0fee0065c4b510f52b4722a8f37ff44797e9661ad05348ed3d7f29403c6908

    Download Submit

  • memory/2784-18-0x0000000000090000-0x00000000000D2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2784-26-0x0000000000090000-0x00000000000D2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2784-23-0x0000000000090000-0x00000000000D2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2784-19-0x0000000000090000-0x00000000000D2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2908-46-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2908-48-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2908-47-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download