General
Target

Invoice.exe

Filesize

533KB

Completed

21-05-2022 18:55

Task

behavioral2

Score
10/10
MD5

676213812fcd942f150519418bad81f0

SHA1

63c6513df8879238baef6869bd2c2c5324626337

SHA256

c8f62dda091a29ed35c26e212840d0c260c9f420f5a7940b2b1f088ad10a3c2d

SHA256

945e542fc9dca0dc00f342749fd4662fadf68b2284b8955211771f8a4d2bf897e12ee10fe9435b57bdd757aa954a239ed0f42d5e787f827113e69f825262b730

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp

Host: smtp.visgring.com

Port: 587

Username: px@visgring.com

Password: uqtQpAv1

Signatures 12

Filter: none

Collection
Credential Access
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/4016-136-0x0000000000400000-0x000000000044C000-memory.dmpfamily_agenttesla
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles
    Invoice.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Invoice.exe
    Key opened\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Invoice.exe
    Key opened\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Invoice.exe
  • Suspicious use of SetThreadContext
    Invoice.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1904 set thread context of 40161904Invoice.exeInvoice.exe
  • Suspicious behavior: EnumeratesProcesses
    Invoice.exe

    Reported IOCs

    pidprocess
    4016Invoice.exe
    4016Invoice.exe
  • Suspicious use of AdjustPrivilegeToken
    Invoice.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4016Invoice.exe
  • Suspicious use of WriteProcessMemory
    Invoice.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1904 wrote to memory of 40161904Invoice.exeInvoice.exe
    PID 1904 wrote to memory of 40161904Invoice.exeInvoice.exe
    PID 1904 wrote to memory of 40161904Invoice.exeInvoice.exe
    PID 1904 wrote to memory of 40161904Invoice.exeInvoice.exe
    PID 1904 wrote to memory of 40161904Invoice.exeInvoice.exe
    PID 1904 wrote to memory of 40161904Invoice.exeInvoice.exe
    PID 1904 wrote to memory of 40161904Invoice.exeInvoice.exe
    PID 1904 wrote to memory of 40161904Invoice.exeInvoice.exe
  • outlook_office_path
    Invoice.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Invoice.exe
  • outlook_win_path
    Invoice.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Invoice.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\Invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Local\Temp\Invoice.exe
      "{path}"
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:4016
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice.exe.log

                        MD5

                        8ec831f3e3a3f77e4a7b9cd32b48384c

                        SHA1

                        d83f09fd87c5bd86e045873c231c14836e76a05c

                        SHA256

                        7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

                        SHA512

                        26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

                      • memory/1904-130-0x00000000007A0000-0x000000000082C000-memory.dmp

                      • memory/1904-132-0x00000000050F0000-0x0000000005182000-memory.dmp

                      • memory/1904-133-0x0000000005090000-0x000000000509A000-memory.dmp

                      • memory/1904-134-0x0000000007940000-0x00000000079DC000-memory.dmp

                      • memory/1904-131-0x00000000056A0000-0x0000000005C44000-memory.dmp

                      • memory/4016-135-0x0000000000000000-mapping.dmp

                      • memory/4016-136-0x0000000000400000-0x000000000044C000-memory.dmp

                      • memory/4016-138-0x0000000005E90000-0x0000000005EF6000-memory.dmp

                      • memory/4016-139-0x0000000006510000-0x0000000006560000-memory.dmp