Analysis
-
max time kernel
113s -
max time network
120s -
platform
windows7_x64 -
resource
win7 -
submitted
11-07-2020 06:23
Static task
static1
Behavioral task
behavioral1
Sample
Factura.exe
Resource
win7
Behavioral task
behavioral2
Sample
Factura.exe
Resource
win10v200430
General
-
Target
Factura.exe
-
Size
611KB
-
MD5
cc769cf566a564288cd4f5e0fa09d063
-
SHA1
c6b0bfc6834a91cfa8fd77a045ea3d62dd5464c0
-
SHA256
fc040f79a1bc262a30ddedb9c184174b6c809282e60d04ee1ac829104967c205
-
SHA512
e39d1febe7f97c33da8584baa50318b7e23fff3596b6f1b3ef27cd8cccc79b770a9b3da8718a710509c66b8e2ba91374cc5c501b29293d8f86e2fcd072d10eb3
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Factura.exedescription pid process target process PID 1412 set thread context of 272 1412 Factura.exe Factura.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Factura.exepid process 272 Factura.exe 272 Factura.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Factura.exedescription pid process target process PID 1412 wrote to memory of 272 1412 Factura.exe Factura.exe PID 1412 wrote to memory of 272 1412 Factura.exe Factura.exe PID 1412 wrote to memory of 272 1412 Factura.exe Factura.exe PID 1412 wrote to memory of 272 1412 Factura.exe Factura.exe PID 1412 wrote to memory of 272 1412 Factura.exe Factura.exe PID 1412 wrote to memory of 272 1412 Factura.exe Factura.exe PID 1412 wrote to memory of 272 1412 Factura.exe Factura.exe PID 1412 wrote to memory of 272 1412 Factura.exe Factura.exe PID 1412 wrote to memory of 272 1412 Factura.exe Factura.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Factura.exedescription pid process Token: SeDebugPrivilege 272 Factura.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Factura.exepid process 272 Factura.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Factura.exe"C:\Users\Admin\AppData\Local\Temp\Factura.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\Factura.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:272