General
Target

payment against your invoi.exe

Filesize

499KB

Completed

21-05-2022 19:00

Task

behavioral2

Score
10/10
MD5

eadb9c9fbe400eeb9a6dfd465f116498

SHA1

32fc1cfedec2ec886bcd9562cdce99f2414af041

SHA256

7ef89eedb2b94ba182361208dc6fc31bd1dd3e378e0c5ba28a137996764a2de7

SHA256

dfc20697f28b9fab1fd33f22b6d5398f2ca5cc442bcce2db6e548d993eb8424d6bce34d883a29ddc5b78d69b4d5b2600a6fdc9c3d097b8cb50d07a064cee3eb2

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp

Host: mail.trip24now.com

Port: 587

Username: services@trip24now.com

Password: Services@123#

Signatures 20

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2332-138-0x0000000000400000-0x000000000044C000-memory.dmpfamily_agenttesla
  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Checks BIOS information in registry
    payment against your invoi.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionpayment against your invoi.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionpayment against your invoi.exe
  • Checks computer location settings
    payment against your invoi.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nationpayment against your invoi.exe
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles
    payment against your invoi.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676payment against your invoi.exe
    Key opened\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676payment against your invoi.exe
    Key opened\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676payment against your invoi.exe
  • Maps connected drives based on registry
    payment against your invoi.exe

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0payment against your invoi.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enumpayment against your invoi.exe
  • Suspicious use of SetThreadContext
    payment against your invoi.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 5108 set thread context of 23325108payment against your invoi.exepayment against your invoi.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    4580schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    payment against your invoi.exepayment against your invoi.exe

    Reported IOCs

    pidprocess
    5108payment against your invoi.exe
    2332payment against your invoi.exe
    2332payment against your invoi.exe
  • Suspicious use of AdjustPrivilegeToken
    payment against your invoi.exepayment against your invoi.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege5108payment against your invoi.exe
    Token: SeDebugPrivilege2332payment against your invoi.exe
  • Suspicious use of SetWindowsHookEx
    payment against your invoi.exe

    Reported IOCs

    pidprocess
    2332payment against your invoi.exe
  • Suspicious use of WriteProcessMemory
    payment against your invoi.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 5108 wrote to memory of 45805108payment against your invoi.exeschtasks.exe
    PID 5108 wrote to memory of 45805108payment against your invoi.exeschtasks.exe
    PID 5108 wrote to memory of 45805108payment against your invoi.exeschtasks.exe
    PID 5108 wrote to memory of 23325108payment against your invoi.exepayment against your invoi.exe
    PID 5108 wrote to memory of 23325108payment against your invoi.exepayment against your invoi.exe
    PID 5108 wrote to memory of 23325108payment against your invoi.exepayment against your invoi.exe
    PID 5108 wrote to memory of 23325108payment against your invoi.exepayment against your invoi.exe
    PID 5108 wrote to memory of 23325108payment against your invoi.exepayment against your invoi.exe
    PID 5108 wrote to memory of 23325108payment against your invoi.exepayment against your invoi.exe
    PID 5108 wrote to memory of 23325108payment against your invoi.exepayment against your invoi.exe
    PID 5108 wrote to memory of 23325108payment against your invoi.exepayment against your invoi.exe
  • outlook_office_path
    payment against your invoi.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676payment against your invoi.exe
  • outlook_win_path
    payment against your invoi.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676payment against your invoi.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\payment against your invoi.exe
    "C:\Users\Admin\AppData\Local\Temp\payment against your invoi.exe"
    Checks BIOS information in registry
    Checks computer location settings
    Maps connected drives based on registry
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:5108
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OxqIQfPx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB788.tmp"
      Creates scheduled task(s)
      PID:4580
    • C:\Users\Admin\AppData\Local\Temp\payment against your invoi.exe
      "{path}"
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:2332
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment against your invoi.exe.log

                  MD5

                  a56b1681d95f33a909d6f34c33f706fb

                  SHA1

                  e996e63f53e9041910f84a4246085c7e76d8ea37

                  SHA256

                  7d87bc567d369a8c708b33966c428845d44ce433d2a6445ca4ccf6449482b3a7

                  SHA512

                  f0d7998ccb520c7229f95ed26a714b07e6a87c16d097546751f7a0f61678b0abb3fbfcc0caa8eba66fa19c09ad659f89475f0f071f3b249bd1bee07a7cd665a2

                • C:\Users\Admin\AppData\Local\Temp\tmpB788.tmp

                  MD5

                  e95beb85a59c704f42f0bf7e23888a33

                  SHA1

                  95491f50563800cc0cc419b06c2a6f7720cac0af

                  SHA256

                  c60532a45e689b255949d9c735729ac0d2c8babaa63c91ab20aa9e27f68cdb46

                  SHA512

                  1556f9a2960ad8e3f348614dc5be8bac05f757dbaad5a909174b4c1c6b22028f3b4bef5e5a7e5267f38c913c5c33cf1d3e85e3c57faa42f0123996aa58d8aa1d

                • memory/2332-137-0x0000000000000000-mapping.dmp

                • memory/2332-138-0x0000000000400000-0x000000000044C000-memory.dmp

                • memory/2332-140-0x00000000069B0000-0x0000000006A00000-memory.dmp

                • memory/2332-141-0x0000000006CB0000-0x0000000006CBA000-memory.dmp

                • memory/4580-135-0x0000000000000000-mapping.dmp

                • memory/5108-130-0x0000000000710000-0x0000000000794000-memory.dmp

                • memory/5108-131-0x00000000056D0000-0x0000000005C74000-memory.dmp

                • memory/5108-132-0x00000000051C0000-0x0000000005252000-memory.dmp

                • memory/5108-133-0x0000000005260000-0x00000000052FC000-memory.dmp

                • memory/5108-134-0x00000000077D0000-0x0000000007836000-memory.dmp