Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2025, 07:13
Static task
static1
Behavioral task
behavioral1
Sample
Procentdelene.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
Procentdelene.exe
Resource
win11-20250619-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win11-20250610-en
General
-
Target
Procentdelene.exe
-
Size
870KB
-
MD5
68786837fdc79d05d4d183f7e4dd1546
-
SHA1
a28c215c0c5c807f05e44063fbaf69526cf7f3b7
-
SHA256
1eb25e230346fb5ff10dfd8daad216200205b958046fb2729b8666ba2f18f2a9
-
SHA512
24af354f735e24ced6c4fa83e72d7a10ea97fefb6b09201b5b2d91b2a5b97d5cace1c44624e06168a81672c68db0fdb0c41b40020beaf7e66967c73002bd0284
-
SSDEEP
24576:GFMMMMMMMMMMj9sbv93+MEySx9KNQ6SW/AJIoK:GFMMMMMMMMMMjY+MEycKm69/AU
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://inhanoi.net.vn - Port:
21 - Username:
[email protected] - Password:
^TSt3!FK$UBA
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
pid Process 4540 Procentdelene.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 api.ipify.org 34 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2860 Procentdelene.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4540 Procentdelene.exe 2860 Procentdelene.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Procentdelene.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Procentdelene.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2860 Procentdelene.exe 2860 Procentdelene.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4540 Procentdelene.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2860 Procentdelene.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4540 wrote to memory of 2860 4540 Procentdelene.exe 92 PID 4540 wrote to memory of 2860 4540 Procentdelene.exe 92 PID 4540 wrote to memory of 2860 4540 Procentdelene.exe 92 PID 4540 wrote to memory of 2860 4540 Procentdelene.exe 92 PID 4540 wrote to memory of 2860 4540 Procentdelene.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD59625d5b1754bc4ff29281d415d27a0fd
SHA180e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b