Analysis
-
max time kernel
120s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-04-2021 10:53
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Invoice.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Shipping Invoice.exe
Resource
win10v20210408
General
-
Target
Shipping Invoice.exe
-
Size
853KB
-
MD5
2a6aa0a5026ba0cb75c6a6c475b58da4
-
SHA1
01f3140e506a6b11bf9bd52bd3c49a8883d60690
-
SHA256
5f4e2a1354cd895b7deccd1e0e702bff02eee8aee5a388f98526b6e203ea131b
-
SHA512
e1a6530ddc0b8bb436d0104dc0b6c08f58ac20d1fa6029e1c2fcca5ed1fbfc34a49368412a609237f6180f2f4edd404d91b482d70cef3c71d321fb5601de3988
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.lokalboyz.com - Port:
587 - Username:
oc2021@lokalboyz.com - Password:
lkEb6ovn
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/744-115-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/744-116-0x00000000004374BE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shipping Invoice.exedescription pid process target process PID 1504 set thread context of 744 1504 Shipping Invoice.exe Shipping Invoice.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Shipping Invoice.exeShipping Invoice.exepid process 1504 Shipping Invoice.exe 1504 Shipping Invoice.exe 1504 Shipping Invoice.exe 744 Shipping Invoice.exe 744 Shipping Invoice.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Shipping Invoice.exeShipping Invoice.exedescription pid process Token: SeDebugPrivilege 1504 Shipping Invoice.exe Token: SeDebugPrivilege 744 Shipping Invoice.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Shipping Invoice.exedescription pid process target process PID 1504 wrote to memory of 744 1504 Shipping Invoice.exe Shipping Invoice.exe PID 1504 wrote to memory of 744 1504 Shipping Invoice.exe Shipping Invoice.exe PID 1504 wrote to memory of 744 1504 Shipping Invoice.exe Shipping Invoice.exe PID 1504 wrote to memory of 744 1504 Shipping Invoice.exe Shipping Invoice.exe PID 1504 wrote to memory of 744 1504 Shipping Invoice.exe Shipping Invoice.exe PID 1504 wrote to memory of 744 1504 Shipping Invoice.exe Shipping Invoice.exe PID 1504 wrote to memory of 744 1504 Shipping Invoice.exe Shipping Invoice.exe PID 1504 wrote to memory of 744 1504 Shipping Invoice.exe Shipping Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shipping Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Invoice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Shipping Invoice.exe.logMD5
568e6f2b186c39075772d775e4189f57
SHA102f642cfdd1491b1ce69e81925ed336975e2f972
SHA256d29bbfbb510acd8716133feeade8f914076963ccc38abb4b5a64a8d32bac44e4
SHA512ef3b7f6d6b355c41ca9abb40d769622ea3f79787d8d2501ad5a135fa5cc78712175190386c8e05ee863a3bc046bc09eee22310555d31e4d57a4652f280283156
-
memory/744-115-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/744-116-0x00000000004374BE-mapping.dmp
-
memory/744-118-0x0000000002940000-0x0000000002941000-memory.dmpFilesize
4KB
-
memory/744-119-0x0000000002941000-0x0000000002942000-memory.dmpFilesize
4KB
-
memory/1504-114-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB