Overview

overview

10

Static

static

INV.exe

windows7_x64

10

INV.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    185s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INV.exe

  • Size

    853KB

  • MD5

    38670fbeb0f4e40e3f76149027ebe5fa

  • SHA1

    80d1f1a7b469676b66b0c98bcaec5410470b0e99

  • SHA256

    c8613cbe02f1e23ab87fcce103efa89cc8da78705c42ca373fa45f3d213b9f5a

  • SHA512

    c6f30a191e6a2fe83e7ded892cbecb8d4ed1d4c778b8e3d5f083a311aad4c40f951016c8576e4454e8a7f52fd70e75a0b43629e034c9334508740cee6fd889bc

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ezesundayngma

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ezesundayngma

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Drops startup file 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INV.exe
    "C:\Users\Admin\AppData\Local\Temp\INV.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:664
    • C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      2⤵
      • Drops startup file
      PID:1596
    • C:\Users\Admin\AppData\Local\Temp\INV.exe
      "C:\Users\Admin\AppData\Local\Temp\INV.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:828
    • C:\Users\Admin\AppData\Local\Temp\INV.exe
      "C:\Users\Admin\AppData\Local\Temp\INV.exe" 2 828 240583953
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4352

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/664-131-0x00000000022C0000-0x00000000022CF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/828-133-0x0000000000000000-mapping.dmp
    Download
  • memory/828-138-0x0000000000960000-0x00000000009BA000-memory.dmp
    Filesize

    360KB

    Download
  • memory/828-137-0x0000000000960000-0x00000000009BA000-memory.dmp
    Filesize

    360KB

    Download
  • memory/828-139-0x0000000073E50000-0x0000000074401000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1596-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4352-134-0x0000000000000000-mapping.dmp
    Download