Analysis
-
max time kernel
142s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-11-2020 06:59
Static task
static1
Behavioral task
behavioral1
Sample
CORRECT INVOICE.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
CORRECT INVOICE.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
CORRECT INVOICE.exe
-
Size
528KB
-
MD5
9968a84f926b882fe6d76e20678424ac
-
SHA1
78859dc0792f58b8a0eef20ee5eb3d82db24667c
-
SHA256
ce2c29bbd18352557dd6fb16e294265d66d8d13e6d0586ef8030bbeb28e0cc97
-
SHA512
f732db1c908aab2d0bd2a0cb2fa607a3551021ef0483dac26eefaae67811fdd6a37b87082dae3871ae613c5240a72948d32cc3591894d1d2a3591aa2549ac72e
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.ailne-medical.com - Port:
587 - Username:
sales10@ailne-medical.com - Password:
Pass@324dadvui
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/388-5-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/388-6-0x000000000043752E-mapping.dmp family_agenttesla behavioral1/memory/388-7-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/388-8-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CORRECT INVOICE.exedescription pid process target process PID 1808 set thread context of 388 1808 CORRECT INVOICE.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 388 RegSvcs.exe 388 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 388 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
CORRECT INVOICE.exedescription pid process target process PID 1808 wrote to memory of 388 1808 CORRECT INVOICE.exe RegSvcs.exe PID 1808 wrote to memory of 388 1808 CORRECT INVOICE.exe RegSvcs.exe PID 1808 wrote to memory of 388 1808 CORRECT INVOICE.exe RegSvcs.exe PID 1808 wrote to memory of 388 1808 CORRECT INVOICE.exe RegSvcs.exe PID 1808 wrote to memory of 388 1808 CORRECT INVOICE.exe RegSvcs.exe PID 1808 wrote to memory of 388 1808 CORRECT INVOICE.exe RegSvcs.exe PID 1808 wrote to memory of 388 1808 CORRECT INVOICE.exe RegSvcs.exe PID 1808 wrote to memory of 388 1808 CORRECT INVOICE.exe RegSvcs.exe PID 1808 wrote to memory of 388 1808 CORRECT INVOICE.exe RegSvcs.exe PID 1808 wrote to memory of 388 1808 CORRECT INVOICE.exe RegSvcs.exe PID 1808 wrote to memory of 388 1808 CORRECT INVOICE.exe RegSvcs.exe PID 1808 wrote to memory of 388 1808 CORRECT INVOICE.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CORRECT INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\CORRECT INVOICE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/388-5-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/388-6-0x000000000043752E-mapping.dmp
-
memory/388-7-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/388-8-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/388-9-0x0000000073980000-0x000000007406E000-memory.dmpFilesize
6.9MB
-
memory/1808-0-0x0000000073980000-0x000000007406E000-memory.dmpFilesize
6.9MB
-
memory/1808-1-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/1808-3-0x0000000000490000-0x00000000004A4000-memory.dmpFilesize
80KB
-
memory/1808-4-0x00000000050A0000-0x0000000005101000-memory.dmpFilesize
388KB