Analysis

  • max time kernel
    6s
  • max time network
    10s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 07:36

General

  • Target

    INVOICE.exe

  • Size

    479KB

  • MD5

    bedc66c12a9045e1d8e89fd47ccd4ebb

  • SHA1

    43be31d907ec599edcd6c64b61a5d464c02a981b

  • SHA256

    94e4d23e3ede10365bdc9ebcf52fab0428c693b3c8d768d4090139d9607d3f95

  • SHA512

    c807e423c21ea4c7d507f3d8f7023acc1863490c6f984762fd146bf64ce2ba92f5df143d4762b91eace2f807029be023bbdd29553e2aa49eafaa4193f8e1e6b6

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
    "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
      "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
        "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1316
        • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
          "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1376
          • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
            "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1992
            • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
              "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1984
              • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
                "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:368
                • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
                  "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
                  8⤵
                    PID:668

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/368-13-0x0000000000000000-mapping.dmp
    • memory/668-15-0x0000000000000000-mapping.dmp
    • memory/668-17-0x0000000000400000-0x000000000044D000-memory.dmp
      Filesize

      308KB

    • memory/836-3-0x0000000000000000-mapping.dmp
    • memory/1316-5-0x0000000000000000-mapping.dmp
    • memory/1376-7-0x0000000000000000-mapping.dmp
    • memory/1668-2-0x0000000074B31000-0x0000000074B33000-memory.dmp
      Filesize

      8KB

    • memory/1984-11-0x0000000000000000-mapping.dmp
    • memory/1992-9-0x0000000000000000-mapping.dmp