Analysis
-
max time kernel
180s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:20
Behavioral task
behavioral1
Sample
Invoice 20200407.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Invoice 20200407.exe
Resource
win10v2004-20220414-en
General
-
Target
Invoice 20200407.exe
-
Size
522KB
-
MD5
ae4e6d5d77d778c2f3b7ddcd7ca8b572
-
SHA1
fc61df4c2c91fc0985d6efd8ead3210f5936e7b3
-
SHA256
caaa4cc129eafbe57a597050e290a56fc724309017bb28276e53f2f1496bf1db
-
SHA512
1ff059cfdcef81282ed7d2bea2aa7815f0aacc2096b30df3e654041acc8a4f299e0e32b1ba5d18a3e45e6bbf69601065c1f5e162cde63cc34ae664d2f7fc58cf
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
result.package@yandex.ru - Password:
Blessing123
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
result.package@yandex.ru - Password:
Blessing123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4924-132-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Invoice 20200407.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Invoice 20200407.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Invoice 20200407.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Invoice 20200407.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoice 20200407.exedescription pid process target process PID 3364 set thread context of 4924 3364 Invoice 20200407.exe Invoice 20200407.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Invoice 20200407.exepid process 4924 Invoice 20200407.exe 4924 Invoice 20200407.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Invoice 20200407.exeInvoice 20200407.exedescription pid process Token: SeDebugPrivilege 3364 Invoice 20200407.exe Token: SeDebugPrivilege 4924 Invoice 20200407.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Invoice 20200407.exeInvoice 20200407.exepid process 3364 Invoice 20200407.exe 3364 Invoice 20200407.exe 4924 Invoice 20200407.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Invoice 20200407.exeInvoice 20200407.exedescription pid process target process PID 3364 wrote to memory of 4924 3364 Invoice 20200407.exe Invoice 20200407.exe PID 3364 wrote to memory of 4924 3364 Invoice 20200407.exe Invoice 20200407.exe PID 3364 wrote to memory of 4924 3364 Invoice 20200407.exe Invoice 20200407.exe PID 3364 wrote to memory of 4924 3364 Invoice 20200407.exe Invoice 20200407.exe PID 3364 wrote to memory of 4924 3364 Invoice 20200407.exe Invoice 20200407.exe PID 3364 wrote to memory of 4924 3364 Invoice 20200407.exe Invoice 20200407.exe PID 3364 wrote to memory of 4924 3364 Invoice 20200407.exe Invoice 20200407.exe PID 3364 wrote to memory of 4924 3364 Invoice 20200407.exe Invoice 20200407.exe PID 4924 wrote to memory of 60 4924 Invoice 20200407.exe netsh.exe PID 4924 wrote to memory of 60 4924 Invoice 20200407.exe netsh.exe PID 4924 wrote to memory of 60 4924 Invoice 20200407.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Invoice 20200407.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Invoice 20200407.exe -
outlook_win_path 1 IoCs
Processes:
Invoice 20200407.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Invoice 20200407.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice 20200407.exe"C:\Users\Admin\AppData\Local\Temp\Invoice 20200407.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice 20200407.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Invoice 20200407.exe.logFilesize
496B
MD57baa6583f69f63f7230df9bf98448356
SHA1fe9eb85b57192362da704a3c130377fe83862320
SHA256a632504621b4cac1d5ba5465c7ad9b30f3d036e9838682506782124a211bed4f
SHA5120e72541791281c0fdac1f5fc6beea0b9eb8766b2a386aecb92cb8a44e5b59b7114c79194393ddeff957ffe86021a311caed7ce2731b863d97ad441870efbc051
-
memory/60-135-0x0000000000000000-mapping.dmp
-
memory/3364-130-0x0000000074C00000-0x00000000751B1000-memory.dmpFilesize
5.7MB
-
memory/4924-131-0x0000000000000000-mapping.dmp
-
memory/4924-132-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4924-134-0x0000000074C00000-0x00000000751B1000-memory.dmpFilesize
5.7MB