Overview

overview

10

Static

static

Invoice_PDF.exe

windows7_x64

10

Invoice_PDF.exe

windows10_x64

10

Analysis

  • max time kernel
    131s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    02-12-2021 14:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice_PDF.exe

  • Size

    571KB

  • MD5

    1dcc43f272f66d8e5afe11e7276dd122

  • SHA1

    cb6a88d1443e7cca944a4176e2a8ebc205f715e3

  • SHA256

    0c6a99b9327cbcb0f3c5b18bc93d347ec8adcb3686e562c515ee4388713e8ed7

  • SHA512

    d3b4b4c93a0b1be2b3effe11e1a4db954f65dc9edf722310ee43defa5cecce6f717fc518b9735c71ef4fac53202c3d314ee6e7e0aab789bc881e4eab6e65a111

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice_PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice_PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Local\Temp\Invoice_PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice_PDF.exe"
      2⤵
        PID:936
      • C:\Users\Admin\AppData\Local\Temp\Invoice_PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\Invoice_PDF.exe"
        2⤵
          PID:1960
        • C:\Users\Admin\AppData\Local\Temp\Invoice_PDF.exe
          "C:\Users\Admin\AppData\Local\Temp\Invoice_PDF.exe"
          2⤵
            PID:1964
          • C:\Users\Admin\AppData\Local\Temp\Invoice_PDF.exe
            "C:\Users\Admin\AppData\Local\Temp\Invoice_PDF.exe"
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:844

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/840-55-0x0000000000210000-0x0000000000211000-memory.dmp
          Filesize

          4KB

          Download
        • memory/840-57-0x0000000076081000-0x0000000076083000-memory.dmp
          Filesize

          8KB

          Download
        • memory/840-58-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/840-59-0x00000000004B0000-0x00000000004B4000-memory.dmp
          Filesize

          16KB

          Download
        • memory/840-60-0x00000000057B0000-0x0000000005832000-memory.dmp
          Filesize

          520KB

          Download
        • memory/844-61-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/844-62-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/844-63-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/844-64-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/844-65-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/844-66-0x000000000043772E-mapping.dmp
          Download
        • memory/844-67-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/844-69-0x00000000006B0000-0x00000000006B1000-memory.dmp
          Filesize

          4KB

          Download