Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 13:44
Static task
static1
Behavioral task
behavioral1
Sample
Paid Invoice.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Paid Invoice.exe
Resource
win10
General
-
Target
Paid Invoice.exe
-
Size
940KB
-
MD5
bde63b59d82e03cea80de443c6738c6f
-
SHA1
34e77df4e37a23a8c45f9b9a62a938d756add173
-
SHA256
b3bf1c568dfbb2a1af09b07eb0a7aff6e2d7addbf3c51e4c6850ebc96afd103e
-
SHA512
f1e68b492747884786996bec97214fb4a126444dc4928803cecfa7f0a716fa29c822f76eeff41d7b7ca164cde4b24a70e45aecdf8c8b9ff1d1cabd3800b6850d
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
Blessing123
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Paid Invoice.exePaid Invoice.exepid process 792 Paid Invoice.exe 792 Paid Invoice.exe 2296 Paid Invoice.exe 2296 Paid Invoice.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Paid Invoice.exedescription pid process target process PID 792 wrote to memory of 2296 792 Paid Invoice.exe Paid Invoice.exe PID 792 wrote to memory of 2296 792 Paid Invoice.exe Paid Invoice.exe PID 792 wrote to memory of 2296 792 Paid Invoice.exe Paid Invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Paid Invoice.exedescription pid process target process PID 792 set thread context of 2296 792 Paid Invoice.exe Paid Invoice.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Paid Invoice.exedescription pid process Token: SeDebugPrivilege 2296 Paid Invoice.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Paid Invoice.exepid process 792 Paid Invoice.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral2/memory/2296-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/2296-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/2296-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:792 -
C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296