Overview

overview

10

Static

static

NEW INVOICE.exe

windows7_x64

10

NEW INVOICE.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    203s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 22:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEW INVOICE.exe

  • Size

    561KB

  • MD5

    55b95046471af229ee99c420a9305466

  • SHA1

    5722d102e4010564f2428ed878c58a8a6a865e45

  • SHA256

    f63a89559c83329e8ea8f79ad5cbd03d3ae2f5a71312f26feecc132379c14eab

  • SHA512

    8eddf9d88a340fc70201fc6c2dd4b9ac9cf4523e0de24404ed2fe7ca98a832d4a30786ce82234829a2ef93d85ac83547829660cb121b0a19a7ca26af6dba9e69

Score
10/10
agentteslacollectionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.proetizo.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    :n7#l_CcH8wh

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 6 IoCs
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEW INVOICE.exe
    "C:\Users\Admin\AppData\Local\Temp\NEW INVOICE.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVEwpDPWQpr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp77CF.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1732
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
        PID:876
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1820

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp77CF.tmp
      Filesize

      1KB

      MD5

      9de937f4b0fa1d3c73169b0aac6f275e

      SHA1

      2765f1abd8bdeb849771f44ffba53b5739eada1e

      SHA256

      629d656a1623fe01b3b3478d9be2f853629eaeb7aabc0467ca21afd9c452ee30

      SHA512

      daebc3f6b9b78659d955996c92de8eccfbbda92883a41f26ba83c07bbbd414853419de54496a6962bb58ecbf06209e0b9e4b281869848b366e86fd5144d7c9cd

      Download Submit
    • memory/1732-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1820-64-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1820-60-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1820-61-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1820-63-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1820-65-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1820-66-0x0000000000447FFE-mapping.dmp
      Download
    • memory/1820-70-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1820-68-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1820-71-0x0000000075941000-0x0000000075943000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1940-57-0x00000000047D0000-0x0000000004824000-memory.dmp
      Filesize

      336KB

      Download
    • memory/1940-56-0x0000000000580000-0x0000000000588000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1940-55-0x0000000000970000-0x00000000009CE000-memory.dmp
      Filesize

      376KB

      Download
    • memory/1940-54-0x0000000001250000-0x00000000012E6000-memory.dmp
      Filesize

      600KB

      Download