Overview

overview

10

Static

static

DUE INVOICES.exe

windows7_x64

10

DUE INVOICES.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    11-05-2021 14:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DUE INVOICES.exe

  • Size

    958KB

  • MD5

    c3dd015c631875adfecc6c229b474cf4

  • SHA1

    26835d1df6761a455b6645fd27dba5dc7ed506b3

  • SHA256

    7299f2323910def53bb344e98441a66dba82b84b0d8ec89dbddf0ee6a936280a

  • SHA512

    dab1e8d81bcbf7a79aa454711a02c8f6cc39ce7aa07031a7891f57aba9f4bdb5a8d215436ff912a615954ace3d43a5d81e8fd01c08694585c4bbbf80967ecb4c

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.sat0rius.com
  • Port:
    587
  • Username:
    sahar.fuchs@sat0rius.com
  • Password:
    Almaseera_delta_0000

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DUE INVOICES.exe
    "C:\Users\Admin\AppData\Local\Temp\DUE INVOICES.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OOzsNXDsbStEu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB700.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:380
    • C:\Users\Admin\AppData\Local\Temp\DUE INVOICES.exe
      "C:\Users\Admin\AppData\Local\Temp\DUE INVOICES.exe"
      2⤵
        PID:440
      • C:\Users\Admin\AppData\Local\Temp\DUE INVOICES.exe
        "C:\Users\Admin\AppData\Local\Temp\DUE INVOICES.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:960

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpB700.tmp
      MD5

      218ce78e92d1c163a0b56e991fbee11a

      SHA1

      0d7bf4732da3aa86e33573632058f721d162deef

      SHA256

      c3b730474737186238d52f4a5d10cfb89997bb0eae8975fa56091c1c2a5f09d4

      SHA512

      68c593c36d56363f00e016b8335a493f68cf08c544599f1105b75accc6b303e5057e9837497c0a36f3d596aeeb700a439403792bdffb508aebbc9f1a3e709ab9

      Download Submit
    • memory/380-66-0x0000000000000000-mapping.dmp
      Download
    • memory/960-68-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/960-69-0x000000000043759E-mapping.dmp
      Download
    • memory/960-70-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/960-72-0x0000000004980000-0x0000000004981000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1864-60-0x0000000000EC0000-0x0000000000EC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1864-62-0x0000000000600000-0x0000000000604000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1864-63-0x0000000004C10000-0x0000000004C11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1864-64-0x0000000005140000-0x0000000005218000-memory.dmp
      Filesize

      864KB

      Download
    • memory/1864-65-0x00000000053E0000-0x000000000547F000-memory.dmp
      Filesize

      636KB

      Download