Analysis
-
max time kernel
124s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 16:10
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE IMPORT.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
INVOICE IMPORT.exe
Resource
win10v20201028
General
-
Target
INVOICE IMPORT.exe
-
Size
540KB
-
MD5
48486799753fb9eab18832a061e1114d
-
SHA1
2aeb9ad4598f951f12e1154e1eb2be7271acbbc7
-
SHA256
451381760beee5124df9d6fe4d2a447dfcb420473800e9004d86159a0396547f
-
SHA512
c5b56bdb043872fa29bfa70ea2250403d3523adf3c1d4857e6353e1625d5545683a860ead08fdc77dc52afa8439694700b22e00952e239853e0bee514833833c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.indiaflanges.com - Port:
587 - Username:
info@indiaflanges.com - Password:
dvdxq;nx{(MV5@m
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2148-12-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2148-13-0x000000000043760E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE IMPORT.exedescription pid process target process PID 3992 set thread context of 2148 3992 INVOICE IMPORT.exe INVOICE IMPORT.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
INVOICE IMPORT.exepid process 2148 INVOICE IMPORT.exe 2148 INVOICE IMPORT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
INVOICE IMPORT.exedescription pid process Token: SeDebugPrivilege 2148 INVOICE IMPORT.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
INVOICE IMPORT.exepid process 2148 INVOICE IMPORT.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
INVOICE IMPORT.exedescription pid process target process PID 3992 wrote to memory of 2148 3992 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 3992 wrote to memory of 2148 3992 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 3992 wrote to memory of 2148 3992 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 3992 wrote to memory of 2148 3992 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 3992 wrote to memory of 2148 3992 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 3992 wrote to memory of 2148 3992 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 3992 wrote to memory of 2148 3992 INVOICE IMPORT.exe INVOICE IMPORT.exe PID 3992 wrote to memory of 2148 3992 INVOICE IMPORT.exe INVOICE IMPORT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE IMPORT.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE IMPORT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INVOICE IMPORT.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE IMPORT.exe.logMD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
memory/2148-12-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2148-22-0x0000000005E10000-0x0000000005E11000-memory.dmpFilesize
4KB
-
memory/2148-21-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/2148-20-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/2148-15-0x00000000738E0000-0x0000000073FCE000-memory.dmpFilesize
6.9MB
-
memory/2148-13-0x000000000043760E-mapping.dmp
-
memory/3992-7-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/3992-11-0x00000000088B0000-0x00000000088B1000-memory.dmpFilesize
4KB
-
memory/3992-10-0x00000000087B0000-0x0000000008807000-memory.dmpFilesize
348KB
-
memory/3992-9-0x0000000005670000-0x000000000567E000-memory.dmpFilesize
56KB
-
memory/3992-8-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/3992-2-0x00000000738E0000-0x0000000073FCE000-memory.dmpFilesize
6.9MB
-
memory/3992-6-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/3992-5-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/3992-3-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB