Analysis
-
max time kernel
93s -
max time network
48s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09/07/2020, 12:15
General
-
Target
Invoice.exe
-
Size
533KB
-
MD5
676213812fcd942f150519418bad81f0
-
SHA1
63c6513df8879238baef6869bd2c2c5324626337
-
SHA256
c8f62dda091a29ed35c26e212840d0c260c9f420f5a7940b2b1f088ad10a3c2d
-
SHA512
945e542fc9dca0dc00f342749fd4662fadf68b2284b8955211771f8a4d2bf897e12ee10fe9435b57bdd757aa954a239ed0f42d5e787f827113e69f825262b730
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.visgring.com - Port:
587 - Username:
[email protected] - Password:
uqtQpAv1
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB