Analysis
-
max time kernel
115s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 07:13
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE-0899877.jar
Resource
win7v20201028
Behavioral task
behavioral2
Sample
INVOICE-0899877.jar
Resource
win10v20201028
General
-
Target
INVOICE-0899877.jar
-
Size
1.0MB
-
MD5
69177a6a0ac1953b7fe870f44d0b08b5
-
SHA1
050090f180f571711def0706a23e32a715ec5be5
-
SHA256
381768716f30918b472bb41e9aca29d1b01643ec1892545453d104f03bc2a612
-
SHA512
b03921f0e1ad1df192b6c85663fdcb22700808829c02356ee9a82623267553b77b974f14bdf710b4fd523ccee97c0d31cae9fcf0989c85712f65e607e7a665dd
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.potagrup.com - Port:
587 - Username:
[email protected] - Password:
Pgrup@2021
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2888-21-0x0000000000400000-0x00000000004D3000-memory.dmp family_snakekeylogger behavioral2/memory/2888-22-0x000000000040104C-mapping.dmp family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exe family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exe family_snakekeylogger -
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2888-21-0x0000000000400000-0x00000000004D3000-memory.dmp family_agenttesla behavioral2/memory/2888-22-0x000000000040104C-mapping.dmp family_agenttesla C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exe family_agenttesla -
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
Processes:
resource yara_rule behavioral2/memory/2824-9-0x0000000005820000-0x0000000005923000-memory.dmp beds_protector -
Executes dropped EXE 5 IoCs
Processes:
cb1M.execb1M.exe0RIGIN 2.0.exe0RIGIN 4.0.exePGRUP SNAKE2021.exepid process 2824 cb1M.exe 2888 cb1M.exe 3780 0RIGIN 2.0.exe 3788 0RIGIN 4.0.exe 2076 PGRUP SNAKE2021.exe -
Drops startup file 2 IoCs
Processes:
Powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe Powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 freegeoip.app 8 checkip.dyndns.org 11 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cb1M.exedescription pid process target process PID 2824 set thread context of 2888 2824 cb1M.exe cb1M.exe -
Drops file in Program Files directory 12 IoCs
Processes:
java.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Powershell.exePGRUP SNAKE2021.exe0RIGIN 4.0.exe0RIGIN 2.0.exepid process 3136 Powershell.exe 3136 Powershell.exe 2076 PGRUP SNAKE2021.exe 3788 0RIGIN 4.0.exe 3788 0RIGIN 4.0.exe 3136 Powershell.exe 3780 0RIGIN 2.0.exe 3780 0RIGIN 2.0.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Powershell.exePGRUP SNAKE2021.exe0RIGIN 4.0.exe0RIGIN 2.0.exedescription pid process Token: SeDebugPrivilege 3136 Powershell.exe Token: SeDebugPrivilege 2076 PGRUP SNAKE2021.exe Token: SeDebugPrivilege 3788 0RIGIN 4.0.exe Token: SeDebugPrivilege 3780 0RIGIN 2.0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cb1M.exepid process 2888 cb1M.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
java.execb1M.execb1M.exedescription pid process target process PID 3928 wrote to memory of 2824 3928 java.exe cb1M.exe PID 3928 wrote to memory of 2824 3928 java.exe cb1M.exe PID 3928 wrote to memory of 2824 3928 java.exe cb1M.exe PID 2824 wrote to memory of 3136 2824 cb1M.exe Powershell.exe PID 2824 wrote to memory of 3136 2824 cb1M.exe Powershell.exe PID 2824 wrote to memory of 3136 2824 cb1M.exe Powershell.exe PID 2824 wrote to memory of 2888 2824 cb1M.exe cb1M.exe PID 2824 wrote to memory of 2888 2824 cb1M.exe cb1M.exe PID 2824 wrote to memory of 2888 2824 cb1M.exe cb1M.exe PID 2824 wrote to memory of 2888 2824 cb1M.exe cb1M.exe PID 2824 wrote to memory of 2888 2824 cb1M.exe cb1M.exe PID 2824 wrote to memory of 2888 2824 cb1M.exe cb1M.exe PID 2824 wrote to memory of 2888 2824 cb1M.exe cb1M.exe PID 2888 wrote to memory of 3780 2888 cb1M.exe 0RIGIN 2.0.exe PID 2888 wrote to memory of 3780 2888 cb1M.exe 0RIGIN 2.0.exe PID 2888 wrote to memory of 3780 2888 cb1M.exe 0RIGIN 2.0.exe PID 2888 wrote to memory of 3788 2888 cb1M.exe 0RIGIN 4.0.exe PID 2888 wrote to memory of 3788 2888 cb1M.exe 0RIGIN 4.0.exe PID 2888 wrote to memory of 3788 2888 cb1M.exe 0RIGIN 4.0.exe PID 2888 wrote to memory of 2076 2888 cb1M.exe PGRUP SNAKE2021.exe PID 2888 wrote to memory of 2076 2888 cb1M.exe PGRUP SNAKE2021.exe PID 2888 wrote to memory of 2076 2888 cb1M.exe PGRUP SNAKE2021.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\INVOICE-0899877.jar1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\cb1M.exeC:\Users\Admin\cb1M.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\cb1M.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\cb1M.exe"C:\Users\Admin\cb1M.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exe"C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exe" 04⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exe"C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exe" 04⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exe"C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exe" 04⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exeMD5
83f896eba915c6fcd3fd1913a39b9915
SHA1b17a0b610fec952f3669aedc8e46a2400bdb1787
SHA25618c57360035b052fd617a5762fb35a9299f7428e6c331fd7b4c08f4d7ec8ecb9
SHA512f09a6c62fda5dedda7c8f0dda94bdcb7c6e0a2d2a511846907e1dc3db1a72269ca7163a1c90b2a94033817abcd4ccce11854c3a65e1799865df0f1cb76a60a74
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exeMD5
83f896eba915c6fcd3fd1913a39b9915
SHA1b17a0b610fec952f3669aedc8e46a2400bdb1787
SHA25618c57360035b052fd617a5762fb35a9299f7428e6c331fd7b4c08f4d7ec8ecb9
SHA512f09a6c62fda5dedda7c8f0dda94bdcb7c6e0a2d2a511846907e1dc3db1a72269ca7163a1c90b2a94033817abcd4ccce11854c3a65e1799865df0f1cb76a60a74
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exeMD5
bbc8f515c647cd3763f1586e15b5ead6
SHA18ade922f0dd917c53e5ca68e45cf5201d9a2a43b
SHA2569a4820e61cb98fce467a1510ad20e9f11af4c4e3c8745695f008d72599a47813
SHA512d4b56b5241725358ff1a0dd4efe26317b6b64e0c9f8184aeb84ed23bafc7a25821e9ff30f69442d112f88e636d5e4c7125a72211241ea1fc1281a4f0df5468aa
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exeMD5
bbc8f515c647cd3763f1586e15b5ead6
SHA18ade922f0dd917c53e5ca68e45cf5201d9a2a43b
SHA2569a4820e61cb98fce467a1510ad20e9f11af4c4e3c8745695f008d72599a47813
SHA512d4b56b5241725358ff1a0dd4efe26317b6b64e0c9f8184aeb84ed23bafc7a25821e9ff30f69442d112f88e636d5e4c7125a72211241ea1fc1281a4f0df5468aa
-
C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exeMD5
384c7a048993884b24056406e9226729
SHA1d5d87c41c862e3b74e9ba8eb0bb2147668815c44
SHA256eebf27101a97ad89df8e932c8003954b7e5ee6e9f4dca5e0880751d110946f35
SHA51282fa49fc72df3f163855d2df103172be974fa6fc9f78b9b4192d66732ac48b21622663bed85f043a3e6c998326f28c7c43fb6fd3be5a25c951faf03172b28857
-
C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exeMD5
384c7a048993884b24056406e9226729
SHA1d5d87c41c862e3b74e9ba8eb0bb2147668815c44
SHA256eebf27101a97ad89df8e932c8003954b7e5ee6e9f4dca5e0880751d110946f35
SHA51282fa49fc72df3f163855d2df103172be974fa6fc9f78b9b4192d66732ac48b21622663bed85f043a3e6c998326f28c7c43fb6fd3be5a25c951faf03172b28857
-
C:\Users\Admin\cb1M.exeMD5
97aa8299f3eae737008853b62609dc53
SHA133d2ad2819f64bd616f8a0a8964c582efdaeb25b
SHA2563cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac
SHA512630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391
-
C:\Users\Admin\cb1M.exeMD5
97aa8299f3eae737008853b62609dc53
SHA133d2ad2819f64bd616f8a0a8964c582efdaeb25b
SHA2563cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac
SHA512630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391
-
C:\Users\Admin\cb1M.exeMD5
97aa8299f3eae737008853b62609dc53
SHA133d2ad2819f64bd616f8a0a8964c582efdaeb25b
SHA2563cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac
SHA512630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391
-
memory/2076-38-0x0000000000000000-mapping.dmp
-
memory/2076-43-0x0000000073BA0000-0x000000007428E000-memory.dmpFilesize
6.9MB
-
memory/2076-58-0x0000000006A10000-0x0000000006A11000-memory.dmpFilesize
4KB
-
memory/2076-56-0x0000000006BA0000-0x0000000006BA1000-memory.dmpFilesize
4KB
-
memory/2076-55-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/2076-44-0x0000000000E70000-0x0000000000E71000-memory.dmpFilesize
4KB
-
memory/2824-9-0x0000000005820000-0x0000000005923000-memory.dmpFilesize
1.0MB
-
memory/2824-13-0x00000000059D0000-0x00000000059D1000-memory.dmpFilesize
4KB
-
memory/2824-20-0x0000000005740000-0x000000000574F000-memory.dmpFilesize
60KB
-
memory/2824-12-0x0000000003260000-0x0000000003261000-memory.dmpFilesize
4KB
-
memory/2824-11-0x0000000005ED0000-0x0000000005ED1000-memory.dmpFilesize
4KB
-
memory/2824-10-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/2824-7-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/2824-6-0x0000000073BA0000-0x000000007428E000-memory.dmpFilesize
6.9MB
-
memory/2824-3-0x0000000000000000-mapping.dmp
-
memory/2888-21-0x0000000000400000-0x00000000004D3000-memory.dmpFilesize
844KB
-
memory/2888-22-0x000000000040104C-mapping.dmp
-
memory/3136-16-0x0000000006B30000-0x0000000006B31000-memory.dmpFilesize
4KB
-
memory/3136-17-0x00000000071A0000-0x00000000071A1000-memory.dmpFilesize
4KB
-
memory/3136-63-0x0000000006B23000-0x0000000006B24000-memory.dmpFilesize
4KB
-
memory/3136-30-0x0000000007B30000-0x0000000007B31000-memory.dmpFilesize
4KB
-
memory/3136-29-0x0000000007AC0000-0x0000000007AC1000-memory.dmpFilesize
4KB
-
memory/3136-28-0x0000000007880000-0x0000000007881000-memory.dmpFilesize
4KB
-
memory/3136-61-0x0000000009000000-0x0000000009001000-memory.dmpFilesize
4KB
-
memory/3136-26-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/3136-19-0x0000000006B22000-0x0000000006B23000-memory.dmpFilesize
4KB
-
memory/3136-40-0x00000000082C0000-0x00000000082C1000-memory.dmpFilesize
4KB
-
memory/3136-18-0x0000000006B20000-0x0000000006B21000-memory.dmpFilesize
4KB
-
memory/3136-60-0x0000000008FA0000-0x0000000008FA1000-memory.dmpFilesize
4KB
-
memory/3136-59-0x0000000009070000-0x0000000009071000-memory.dmpFilesize
4KB
-
memory/3136-14-0x0000000000000000-mapping.dmp
-
memory/3136-34-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/3136-52-0x0000000008310000-0x0000000008311000-memory.dmpFilesize
4KB
-
memory/3136-15-0x0000000073BA0000-0x000000007428E000-memory.dmpFilesize
6.9MB
-
memory/3780-31-0x0000000000000000-mapping.dmp
-
memory/3780-48-0x0000000002610000-0x0000000002611000-memory.dmpFilesize
4KB
-
memory/3780-66-0x0000000002611000-0x0000000002612000-memory.dmpFilesize
4KB
-
memory/3780-69-0x0000000002612000-0x0000000002613000-memory.dmpFilesize
4KB
-
memory/3788-54-0x0000000005990000-0x0000000005991000-memory.dmpFilesize
4KB
-
memory/3788-45-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB
-
memory/3788-39-0x0000000073BA0000-0x000000007428E000-memory.dmpFilesize
6.9MB
-
memory/3788-35-0x0000000000000000-mapping.dmp
-
memory/3788-64-0x0000000005960000-0x0000000005961000-memory.dmpFilesize
4KB
-
memory/3928-2-0x00000000028E0000-0x0000000002B50000-memory.dmpFilesize
2.4MB