Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
General
-
Target
revised invice.exe
-
Size
549KB
-
MD5
fa4df694ec1e19c5ad3a142fb849a171
-
SHA1
6e8379dc7a5fb7b7f67a4f31817c38dea632b89a
-
SHA256
d0b87c89ca8f853d80565f7381435da6801641f2083e3011dcaefa278c402785
-
SHA512
1eac1101e159009dcf73e87cfe61470b6d81b4a068e0d4eb501d03e048cec9de10127ea1c053141efa2807e1db4db20fd9e6fce709bb5bccf435a350fca2a38f
Malware Config
Extracted
Protocol: smtp- Host:
theroyalsandskohrong.com - Port:
587 - Username:
marine@theroyalsandskohrong.com - Password:
Royal@2019
Extracted
agenttesla
Protocol: smtp- Host:
theroyalsandskohrong.com - Port:
587 - Username:
marine@theroyalsandskohrong.com - Password:
Royal@2019
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\revised invice.exe"C:\Users\Admin\AppData\Local\Temp\revised invice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RVYivzbHtgCce" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8785.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\revised invice.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\revised invice.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\revised invice.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\revised invice.exe.logMD5
2ce1b56364fa233e3c3b24c1094c08ef
SHA16bd332829aebe567d7b2cb1fd9a82dfe1791052f
SHA256dcf175d01a6de724456eebafad26562a1c6c59bb61ed4a40675e80b7dbc5680e
SHA5125abf87138689fdc6f8f79c130c3511c863bac1fb0acc60525bc660c532276e3e0037134a9653e0b4f9a77142236cc18144e90bb40ace7271d6eb57fcf438bfe9
-
C:\Users\Admin\AppData\Local\Temp\tmp8785.tmpMD5
02a2193780b7f991094c5893d8290e4f
SHA1b1b678f673949ec75f53f523d4c95babff7c0a67
SHA256ce23520f0813a824eea3fb3383d092c259f48f9ff59a5fffb6b3663e10a21f5c
SHA5126c9e246f81614e97ab1d4ec0df7d41d2f136af15606eedbab0906951420433538b01621c283f08c62b5eb34d00416d4fb1cec26b7c59a2432170c899248fe8fb
-
memory/1320-9-0x0000000000000000-mapping.dmp
-
memory/3184-3-0x0000000000000000-mapping.dmp
-
memory/4064-5-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4064-6-0x000000000044CDEE-mapping.dmp