Analysis

  • max time kernel
    151s
  • max time network
    116s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    28-09-2021 06:09

General

  • Target

    Revised Proforma Invoice_New order.exe

  • Size

    622KB

  • MD5

    3a391e960ff363979a5ac9dc3a95c636

  • SHA1

    8930a2e630f133dfb78e87e06b4f9ecd882a84e1

  • SHA256

    8842d55ed240f4ed04d12d227dfd1c65bc20b72bf79fc5e40daf61d9f3f86d47

  • SHA512

    9ad6f160cef7ba108a88ee963aa224c1766bfb183e7934a88b5a7019788b6874009a4a921f8b853329be940d08de74e3ddb0170e69b60152fbd950a5889a5926

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    s1.20mb.nl
  • Port:
    587
  • Username:
    whitesend@billionv.com
  • Password:
    fgd436-=/eVNM!!@#)mmnb

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Revised Proforma Invoice_New order.exe
    "C:\Users\Admin\AppData\Local\Temp\Revised Proforma Invoice_New order.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2228
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3992
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4564
    • C:\Users\Admin\AppData\Local\Temp\Revised Proforma Invoice_New order.exe
      "C:\Users\Admin\AppData\Local\Temp\Revised Proforma Invoice_New order.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:636

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Revised Proforma Invoice_New order.exe.log
    MD5

    605f809fab8c19729d39d075f7ffdb53

    SHA1

    c546f877c9bd53563174a90312a8337fdfc5fdd9

    SHA256

    6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

    SHA512

    82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    66382a4ca6c4dcf75ce41417d44be93e

    SHA1

    8132cbef1c12f8a89a68a6153ade4286bf130812

    SHA256

    a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

    SHA512

    2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    033add4b0e6ec3009beaffe1d7c942e6

    SHA1

    fcde9fa7911da955958446c70414a1bea9668993

    SHA256

    845f0886c832d3832011dabcc2d61d9272e83e8f857fc12c36c1bab859c6724b

    SHA512

    9cd4e442bff54a125c4f6a34e7226c582c6e6e410895092380752fdbc6292c60204c27783422bd226a27a53b1d8e65a7ebe405bac10a0f9a4c3f7bf36c545b3f

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    4dcb38eb43f897a885dc36df0851097d

    SHA1

    7eec621e5e57c7b83e72e23d67aee6602ffc4071

    SHA256

    018c5c367b22fcf1a584b1107af8564f6e9cb50233351b86073a9b758556a263

    SHA512

    c193af461c7539274e49d2d31ab44e1089e0ae04f1a68c756accc20fe375c10cbf951886443bebc85e14ee4201aebaf8eb870bffe1c80f28f9c837a9c2969034

  • memory/636-195-0x0000000005240000-0x0000000005241000-memory.dmp
    Filesize

    4KB

  • memory/636-196-0x0000000005050000-0x000000000554E000-memory.dmp
    Filesize

    5.0MB

  • memory/636-197-0x00000000051D0000-0x00000000051D1000-memory.dmp
    Filesize

    4KB

  • memory/636-194-0x0000000005550000-0x0000000005551000-memory.dmp
    Filesize

    4KB

  • memory/636-199-0x00000000063D0000-0x00000000063D1000-memory.dmp
    Filesize

    4KB

  • memory/636-190-0x000000000043764E-mapping.dmp
  • memory/636-189-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

  • memory/636-200-0x0000000005FD0000-0x0000000005FD1000-memory.dmp
    Filesize

    4KB

  • memory/636-201-0x0000000005050000-0x000000000554E000-memory.dmp
    Filesize

    5.0MB

  • memory/2228-128-0x0000000007F00000-0x0000000007F01000-memory.dmp
    Filesize

    4KB

  • memory/2228-126-0x0000000007840000-0x0000000007841000-memory.dmp
    Filesize

    4KB

  • memory/2228-137-0x0000000008AE0000-0x0000000008AE1000-memory.dmp
    Filesize

    4KB

  • memory/2228-118-0x0000000000000000-mapping.dmp
  • memory/2228-131-0x0000000007DB0000-0x0000000007DB1000-memory.dmp
    Filesize

    4KB

  • memory/2228-130-0x0000000000EA2000-0x0000000000EA3000-memory.dmp
    Filesize

    4KB

  • memory/2228-153-0x0000000000EA3000-0x0000000000EA4000-memory.dmp
    Filesize

    4KB

  • memory/2228-121-0x0000000000E50000-0x0000000000E51000-memory.dmp
    Filesize

    4KB

  • memory/2228-122-0x0000000006E00000-0x0000000006E01000-memory.dmp
    Filesize

    4KB

  • memory/2228-123-0x0000000006C20000-0x0000000006C21000-memory.dmp
    Filesize

    4KB

  • memory/2228-124-0x0000000007430000-0x0000000007431000-memory.dmp
    Filesize

    4KB

  • memory/2228-125-0x00000000075F0000-0x00000000075F1000-memory.dmp
    Filesize

    4KB

  • memory/2228-136-0x0000000009460000-0x0000000009461000-memory.dmp
    Filesize

    4KB

  • memory/2228-129-0x0000000000EA0000-0x0000000000EA1000-memory.dmp
    Filesize

    4KB

  • memory/2228-127-0x00000000075D0000-0x00000000075D1000-memory.dmp
    Filesize

    4KB

  • memory/3512-188-0x00000000031B0000-0x00000000031D4000-memory.dmp
    Filesize

    144KB

  • memory/3512-115-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
    Filesize

    4KB

  • memory/3512-186-0x0000000005870000-0x00000000058B2000-memory.dmp
    Filesize

    264KB

  • memory/3512-117-0x00000000031F0000-0x00000000031F1000-memory.dmp
    Filesize

    4KB

  • memory/3992-168-0x0000000004CA3000-0x0000000004CA4000-memory.dmp
    Filesize

    4KB

  • memory/3992-155-0x0000000004CA2000-0x0000000004CA3000-memory.dmp
    Filesize

    4KB

  • memory/3992-154-0x0000000004CA0000-0x0000000004CA1000-memory.dmp
    Filesize

    4KB

  • memory/3992-139-0x0000000000000000-mapping.dmp
  • memory/4564-187-0x00000000070A3000-0x00000000070A4000-memory.dmp
    Filesize

    4KB

  • memory/4564-170-0x00000000070A2000-0x00000000070A3000-memory.dmp
    Filesize

    4KB

  • memory/4564-169-0x00000000070A0000-0x00000000070A1000-memory.dmp
    Filesize

    4KB

  • memory/4564-163-0x0000000000000000-mapping.dmp