Analysis
-
max time kernel
132s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 16:10
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE IMPORT.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
INVOICE IMPORT.exe
Resource
win10v20201028
General
-
Target
INVOICE IMPORT.exe
-
Size
540KB
-
MD5
48486799753fb9eab18832a061e1114d
-
SHA1
2aeb9ad4598f951f12e1154e1eb2be7271acbbc7
-
SHA256
451381760beee5124df9d6fe4d2a447dfcb420473800e9004d86159a0396547f
-
SHA512
c5b56bdb043872fa29bfa70ea2250403d3523adf3c1d4857e6353e1625d5545683a860ead08fdc77dc52afa8439694700b22e00952e239853e0bee514833833c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.indiaflanges.com - Port:
587 - Username:
info@indiaflanges.com - Password:
dvdxq;nx{(MV5@m
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1296-8-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1296-9-0x000000000043760E-mapping.dmp family_agenttesla behavioral1/memory/1296-11-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE IMPORT.exedescription pid process target process PID 1684 set thread context of 1296 1684 INVOICE IMPORT.exe INVOICE IMPORT.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
INVOICE IMPORT.exepid process 1296 INVOICE IMPORT.exe 1296 INVOICE IMPORT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
INVOICE IMPORT.exedescription pid process Token: SeDebugPrivilege 1296 INVOICE IMPORT.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
INVOICE IMPORT.exepid process 1296 INVOICE IMPORT.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
INVOICE IMPORT.exedescription pid process target process PID 1684 wrote to memory of 1296 1684 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 1684 wrote to memory of 1296 1684 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 1684 wrote to memory of 1296 1684 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 1684 wrote to memory of 1296 1684 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 1684 wrote to memory of 1296 1684 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 1684 wrote to memory of 1296 1684 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 1684 wrote to memory of 1296 1684 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 1684 wrote to memory of 1296 1684 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 1684 wrote to memory of 1296 1684 INVOICE IMPORT.exe INVOICE IMPORT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE IMPORT.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE IMPORT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INVOICE IMPORT.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1296-8-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1296-9-0x000000000043760E-mapping.dmp
-
memory/1296-10-0x0000000074670000-0x0000000074D5E000-memory.dmpFilesize
6.9MB
-
memory/1296-11-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1296-13-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/1296-14-0x0000000004821000-0x0000000004822000-memory.dmpFilesize
4KB
-
memory/1684-2-0x0000000074670000-0x0000000074D5E000-memory.dmpFilesize
6.9MB
-
memory/1684-3-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/1684-5-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/1684-6-0x00000000003B0000-0x00000000003BE000-memory.dmpFilesize
56KB
-
memory/1684-7-0x0000000004BF0000-0x0000000004C47000-memory.dmpFilesize
348KB