General
Target

payment against your invoi.exe

Filesize

499KB

Completed

21-05-2022 19:00

Task

behavioral1

Score
10/10
MD5

eadb9c9fbe400eeb9a6dfd465f116498

SHA1

32fc1cfedec2ec886bcd9562cdce99f2414af041

SHA256

7ef89eedb2b94ba182361208dc6fc31bd1dd3e378e0c5ba28a137996764a2de7

SHA256

dfc20697f28b9fab1fd33f22b6d5398f2ca5cc442bcce2db6e548d993eb8424d6bce34d883a29ddc5b78d69b4d5b2600a6fdc9c3d097b8cb50d07a064cee3eb2

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp

Host: mail.trip24now.com

Port: 587

Username: services@trip24now.com

Password: Services@123#

Signatures 19

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1176-63-0x0000000000400000-0x000000000044C000-memory.dmpfamily_agenttesla
    behavioral1/memory/1176-64-0x0000000000400000-0x000000000044C000-memory.dmpfamily_agenttesla
    behavioral1/memory/1176-65-0x0000000000400000-0x000000000044C000-memory.dmpfamily_agenttesla
    behavioral1/memory/1176-66-0x00000000004470BE-mapping.dmpfamily_agenttesla
    behavioral1/memory/1176-70-0x0000000000400000-0x000000000044C000-memory.dmpfamily_agenttesla
    behavioral1/memory/1176-68-0x0000000000400000-0x000000000044C000-memory.dmpfamily_agenttesla
  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Checks BIOS information in registry
    payment against your invoi.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionpayment against your invoi.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionpayment against your invoi.exe
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles
    payment against your invoi.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676payment against your invoi.exe
    Key opened\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676payment against your invoi.exe
    Key opened\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676payment against your invoi.exe
  • Maps connected drives based on registry
    payment against your invoi.exe

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enumpayment against your invoi.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0payment against your invoi.exe
  • Suspicious use of SetThreadContext
    payment against your invoi.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1000 set thread context of 11761000payment against your invoi.exepayment against your invoi.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1152schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    payment against your invoi.exe

    Reported IOCs

    pidprocess
    1176payment against your invoi.exe
    1176payment against your invoi.exe
  • Suspicious use of AdjustPrivilegeToken
    payment against your invoi.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1176payment against your invoi.exe
  • Suspicious use of SetWindowsHookEx
    payment against your invoi.exe

    Reported IOCs

    pidprocess
    1176payment against your invoi.exe
  • Suspicious use of WriteProcessMemory
    payment against your invoi.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1000 wrote to memory of 11521000payment against your invoi.exeschtasks.exe
    PID 1000 wrote to memory of 11521000payment against your invoi.exeschtasks.exe
    PID 1000 wrote to memory of 11521000payment against your invoi.exeschtasks.exe
    PID 1000 wrote to memory of 11521000payment against your invoi.exeschtasks.exe
    PID 1000 wrote to memory of 11761000payment against your invoi.exepayment against your invoi.exe
    PID 1000 wrote to memory of 11761000payment against your invoi.exepayment against your invoi.exe
    PID 1000 wrote to memory of 11761000payment against your invoi.exepayment against your invoi.exe
    PID 1000 wrote to memory of 11761000payment against your invoi.exepayment against your invoi.exe
    PID 1000 wrote to memory of 11761000payment against your invoi.exepayment against your invoi.exe
    PID 1000 wrote to memory of 11761000payment against your invoi.exepayment against your invoi.exe
    PID 1000 wrote to memory of 11761000payment against your invoi.exepayment against your invoi.exe
    PID 1000 wrote to memory of 11761000payment against your invoi.exepayment against your invoi.exe
    PID 1000 wrote to memory of 11761000payment against your invoi.exepayment against your invoi.exe
  • outlook_office_path
    payment against your invoi.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676payment against your invoi.exe
  • outlook_win_path
    payment against your invoi.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676payment against your invoi.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\payment against your invoi.exe
    "C:\Users\Admin\AppData\Local\Temp\payment against your invoi.exe"
    Checks BIOS information in registry
    Maps connected drives based on registry
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1000
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OxqIQfPx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1EA9.tmp"
      Creates scheduled task(s)
      PID:1152
    • C:\Users\Admin\AppData\Local\Temp\payment against your invoi.exe
      "{path}"
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:1176
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\tmp1EA9.tmp

                  MD5

                  d81d47136b2cbfa2226d9c19f7b5c631

                  SHA1

                  33ce923b0a6598b0f4b32b725e707313d5c08cfc

                  SHA256

                  3371eef936f0d475f51b7fd30c1282e6e6b823447a2963a65da45a1ceaef8ac7

                  SHA512

                  2813d761a51e0245636f8674c353f01396f48f1f416ebdba595716828d3600a512c85368b20c764b06e36c9d598b64f163242f18c33ecd4f8295dcb3b96a9e36

                • memory/1000-54-0x0000000000DD0000-0x0000000000E54000-memory.dmp

                • memory/1000-55-0x0000000000210000-0x000000000021A000-memory.dmp

                • memory/1000-56-0x0000000004990000-0x00000000049E4000-memory.dmp

                • memory/1000-57-0x0000000075F21000-0x0000000075F23000-memory.dmp

                • memory/1152-58-0x0000000000000000-mapping.dmp

                • memory/1176-63-0x0000000000400000-0x000000000044C000-memory.dmp

                • memory/1176-61-0x0000000000400000-0x000000000044C000-memory.dmp

                • memory/1176-60-0x0000000000400000-0x000000000044C000-memory.dmp

                • memory/1176-64-0x0000000000400000-0x000000000044C000-memory.dmp

                • memory/1176-65-0x0000000000400000-0x000000000044C000-memory.dmp

                • memory/1176-66-0x00000000004470BE-mapping.dmp

                • memory/1176-70-0x0000000000400000-0x000000000044C000-memory.dmp

                • memory/1176-68-0x0000000000400000-0x000000000044C000-memory.dmp