Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-11-2020 06:59
Static task
static1
Behavioral task
behavioral1
Sample
CORRECT INVOICE.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
CORRECT INVOICE.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
CORRECT INVOICE.exe
-
Size
528KB
-
MD5
9968a84f926b882fe6d76e20678424ac
-
SHA1
78859dc0792f58b8a0eef20ee5eb3d82db24667c
-
SHA256
ce2c29bbd18352557dd6fb16e294265d66d8d13e6d0586ef8030bbeb28e0cc97
-
SHA512
f732db1c908aab2d0bd2a0cb2fa607a3551021ef0483dac26eefaae67811fdd6a37b87082dae3871ae613c5240a72948d32cc3591894d1d2a3591aa2549ac72e
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.ailne-medical.com - Port:
587 - Username:
sales10@ailne-medical.com - Password:
Pass@324dadvui
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3612-10-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3612-11-0x000000000043752E-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CORRECT INVOICE.exedescription pid process target process PID 416 set thread context of 3612 416 CORRECT INVOICE.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 3612 RegSvcs.exe 3612 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3612 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
CORRECT INVOICE.exedescription pid process target process PID 416 wrote to memory of 3612 416 CORRECT INVOICE.exe RegSvcs.exe PID 416 wrote to memory of 3612 416 CORRECT INVOICE.exe RegSvcs.exe PID 416 wrote to memory of 3612 416 CORRECT INVOICE.exe RegSvcs.exe PID 416 wrote to memory of 3612 416 CORRECT INVOICE.exe RegSvcs.exe PID 416 wrote to memory of 3612 416 CORRECT INVOICE.exe RegSvcs.exe PID 416 wrote to memory of 3612 416 CORRECT INVOICE.exe RegSvcs.exe PID 416 wrote to memory of 3612 416 CORRECT INVOICE.exe RegSvcs.exe PID 416 wrote to memory of 3612 416 CORRECT INVOICE.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CORRECT INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\CORRECT INVOICE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/416-0-0x0000000073520000-0x0000000073C0E000-memory.dmpFilesize
6.9MB
-
memory/416-1-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/416-3-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/416-4-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/416-5-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/416-6-0x0000000008670000-0x0000000008671000-memory.dmpFilesize
4KB
-
memory/416-7-0x0000000005740000-0x0000000005754000-memory.dmpFilesize
80KB
-
memory/416-8-0x0000000008220000-0x0000000008221000-memory.dmpFilesize
4KB
-
memory/416-9-0x0000000006F30000-0x0000000006F91000-memory.dmpFilesize
388KB
-
memory/3612-10-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3612-11-0x000000000043752E-mapping.dmp
-
memory/3612-12-0x0000000073520000-0x0000000073C0E000-memory.dmpFilesize
6.9MB
-
memory/3612-17-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/3612-18-0x0000000005BD0000-0x0000000005BD1000-memory.dmpFilesize
4KB