Analysis
-
max time kernel
153s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:53
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Proforma Invoice.exe
Resource
win10v2004-20220414-en
General
-
Target
Proforma Invoice.exe
-
Size
923KB
-
MD5
2b952a9344d926a08dfd69de423528e2
-
SHA1
823670d855617a727ae9d9aa0858e49c558bcf41
-
SHA256
ae451bf0f958bf82ce70a55e5e0af6fbb70f1b06cd0bacb5bdc196c16f6da11b
-
SHA512
e9783f69df250cbee29aba8ef09bdbf0de4a6ca1f181b1505bd772aec43753b828befc46e717f6654a0010de93dbe9623abc3027746e8b383e2cb02712159236
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.shyuanhzimeng.com - Port:
587 - Username:
[email protected] - Password:
I$uEADXU7
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3056-132-0x00000000009B0000-0x00000000009FC000-memory.dmp family_agenttesla behavioral2/memory/3056-133-0x00000000009B0000-0x00000000009FC000-memory.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sales1.vbs notepad.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Proforma Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Proforma Invoice.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Proforma Invoice.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Proforma Invoice.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Proforma Invoice.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe" Proforma Invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proforma Invoice.exedescription pid process target process PID 2372 set thread context of 3056 2372 Proforma Invoice.exe Proforma Invoice.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Proforma Invoice.exeProforma Invoice.exepid process 2372 Proforma Invoice.exe 2372 Proforma Invoice.exe 3056 Proforma Invoice.exe 3056 Proforma Invoice.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Proforma Invoice.exepid process 2372 Proforma Invoice.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Proforma Invoice.exedescription pid process Token: SeDebugPrivilege 3056 Proforma Invoice.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Proforma Invoice.exedescription pid process target process PID 2372 wrote to memory of 3720 2372 Proforma Invoice.exe notepad.exe PID 2372 wrote to memory of 3720 2372 Proforma Invoice.exe notepad.exe PID 2372 wrote to memory of 3720 2372 Proforma Invoice.exe notepad.exe PID 2372 wrote to memory of 3720 2372 Proforma Invoice.exe notepad.exe PID 2372 wrote to memory of 3720 2372 Proforma Invoice.exe notepad.exe PID 2372 wrote to memory of 3056 2372 Proforma Invoice.exe Proforma Invoice.exe PID 2372 wrote to memory of 3056 2372 Proforma Invoice.exe Proforma Invoice.exe PID 2372 wrote to memory of 3056 2372 Proforma Invoice.exe Proforma Invoice.exe -
outlook_office_path 1 IoCs
Processes:
Proforma Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Proforma Invoice.exe -
outlook_win_path 1 IoCs
Processes:
Proforma Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Proforma Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2372-134-0x0000000000400000-0x00000000004ED000-memory.dmpFilesize
948KB
-
memory/3056-131-0x0000000000000000-mapping.dmp
-
memory/3056-132-0x00000000009B0000-0x00000000009FC000-memory.dmpFilesize
304KB
-
memory/3056-133-0x00000000009B0000-0x00000000009FC000-memory.dmpFilesize
304KB
-
memory/3056-135-0x0000000074AD0000-0x0000000075081000-memory.dmpFilesize
5.7MB
-
memory/3720-130-0x0000000000000000-mapping.dmp