invoice.exe

General
Target

invoice.exe

Filesize

1MB

Completed

27-07-2021 15:07

Score
10/10
MD5

76a240af49acdb8ff5396abb32f84e5a

SHA1

a64f8bdf5ab921873c7fcac67cc380f14c5448d4

SHA256

1d97f0b09573ff206fdc36f12a6c6f30cb55fed8c3789e13b321382421d9151f

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: smtp.vivaldi.net

Port: 587

Username: vicanto@vivaldi.net

Password: @GoodLogs@321

Signatures 6

Filter: none

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1800-65-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/1800-66-0x00000000004374AE-mapping.dmpfamily_agenttesla
    behavioral1/memory/1800-67-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
  • Suspicious use of SetThreadContext
    invoice.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1848 set thread context of 18001848invoice.exeRegSvcs.exe
  • Suspicious behavior: EnumeratesProcesses
    RegSvcs.exe

    Reported IOCs

    pidprocess
    1800RegSvcs.exe
    1800RegSvcs.exe
  • Suspicious use of AdjustPrivilegeToken
    RegSvcs.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1800RegSvcs.exe
  • Suspicious use of WriteProcessMemory
    invoice.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1848 wrote to memory of 18001848invoice.exeRegSvcs.exe
    PID 1848 wrote to memory of 18001848invoice.exeRegSvcs.exe
    PID 1848 wrote to memory of 18001848invoice.exeRegSvcs.exe
    PID 1848 wrote to memory of 18001848invoice.exeRegSvcs.exe
    PID 1848 wrote to memory of 18001848invoice.exeRegSvcs.exe
    PID 1848 wrote to memory of 18001848invoice.exeRegSvcs.exe
    PID 1848 wrote to memory of 18001848invoice.exeRegSvcs.exe
    PID 1848 wrote to memory of 18001848invoice.exeRegSvcs.exe
    PID 1848 wrote to memory of 18001848invoice.exeRegSvcs.exe
    PID 1848 wrote to memory of 18001848invoice.exeRegSvcs.exe
    PID 1848 wrote to memory of 18001848invoice.exeRegSvcs.exe
    PID 1848 wrote to memory of 18001848invoice.exeRegSvcs.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\invoice.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1800
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1800-66-0x00000000004374AE-mapping.dmp

                          • memory/1800-67-0x0000000000400000-0x000000000043C000-memory.dmp

                          • memory/1800-69-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

                          • memory/1800-65-0x0000000000400000-0x000000000043C000-memory.dmp

                          • memory/1848-63-0x0000000005870000-0x0000000005922000-memory.dmp

                          • memory/1848-64-0x0000000004EC0000-0x0000000004F2E000-memory.dmp

                          • memory/1848-59-0x0000000001040000-0x0000000001041000-memory.dmp

                          • memory/1848-61-0x0000000000200000-0x0000000000201000-memory.dmp

                          • memory/1848-62-0x0000000000470000-0x000000000048B000-memory.dmp