Analysis
-
max time kernel
128s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:35
Static task
static1
Behavioral task
behavioral1
Sample
OVER DUE INVOICES 154084.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
OVER DUE INVOICES 154084.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
OVER DUE INVOICES 154084.exe
-
Size
614KB
-
MD5
95a1528c17e3895f2ef124f2efc48761
-
SHA1
8cafe7112ade6208656219883772a5f9a9767203
-
SHA256
20aade0372aaf34564a83fbe0677e52f11b22196396975150393578c8e1e6a5d
-
SHA512
982eab0f1f61e184a7acb24ac5dcfef998d4556e19c2431d9239f93736e79f8fb8172b9cb7a53a61c87f3279469123d31c342e0f7c087c96d807813d6003a836
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
bigboy5570@@@@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3968-132-0x0000000000000000-mapping.dmp family_agenttesla behavioral2/memory/3968-133-0x0000000000400000-0x000000000044A000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.ExEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.ExE Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.ExE Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.ExE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
OVER DUE INVOICES 154084.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run OVER DUE INVOICES 154084.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProPlayer = "C:\\Users\\Admin\\AppData\\Roaming\\ProPlayer\\.exe" OVER DUE INVOICES 154084.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
OVER DUE INVOICES 154084.exedescription pid process target process PID 2196 set thread context of 3968 2196 OVER DUE INVOICES 154084.exe RegSvcs.ExE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.ExEpid process 3968 RegSvcs.ExE 3968 RegSvcs.ExE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.ExEdescription pid process Token: SeDebugPrivilege 3968 RegSvcs.ExE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OVER DUE INVOICES 154084.exepid process 2196 OVER DUE INVOICES 154084.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
OVER DUE INVOICES 154084.exedescription pid process target process PID 2196 wrote to memory of 3968 2196 OVER DUE INVOICES 154084.exe RegSvcs.ExE PID 2196 wrote to memory of 3968 2196 OVER DUE INVOICES 154084.exe RegSvcs.ExE PID 2196 wrote to memory of 3968 2196 OVER DUE INVOICES 154084.exe RegSvcs.ExE PID 2196 wrote to memory of 3968 2196 OVER DUE INVOICES 154084.exe RegSvcs.ExE PID 2196 wrote to memory of 3968 2196 OVER DUE INVOICES 154084.exe RegSvcs.ExE PID 2196 wrote to memory of 3968 2196 OVER DUE INVOICES 154084.exe RegSvcs.ExE PID 2196 wrote to memory of 3968 2196 OVER DUE INVOICES 154084.exe RegSvcs.ExE PID 2196 wrote to memory of 3968 2196 OVER DUE INVOICES 154084.exe RegSvcs.ExE -
outlook_office_path 1 IoCs
Processes:
RegSvcs.ExEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.ExE -
outlook_win_path 1 IoCs
Processes:
RegSvcs.ExEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.ExE
Processes
-
C:\Users\Admin\AppData\Local\Temp\OVER DUE INVOICES 154084.exe"C:\Users\Admin\AppData\Local\Temp\OVER DUE INVOICES 154084.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.ExE"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.ExE"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3968