Overview

overview

10

Static

static

1

INVOICE SH...ST.exe

windows7-x64

10

INVOICE SH...ST.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 08:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INVOICE SHIPPING-PACKING LIST.exe

  • Size

    492KB

  • MD5

    6f793265d64232cda59fc43f2f7b120d

  • SHA1

    7a5aebb953f37e9b2f4f7ba0c9c19c945a7d808b

  • SHA256

    523827d0143781d5e1124ddcc75eaed873f190f255497217ef2f61a5714fedb8

  • SHA512

    bbbacbc4695e7088564cf85974b3ddf5aa6e3bdbc3fea8f8538ec4fa79c8e8ffeb62b3e3b59831da8aefb3be9b9e8c71d8d4b1b33ad7fae307e3356612b7e24f

  • SSDEEP

    12288:6XT5OxeW3QRu0ApGptvXqXuRfaFhgOo7zcyv:6XdOxeYGu0ApGpB+OvD

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INVOICE SHIPPING-PACKING LIST.exe
    "C:\Users\Admin\AppData\Local\Temp\INVOICE SHIPPING-PACKING LIST.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Users\Admin\AppData\Local\Temp\mtsotp.exe
      "C:\Users\Admin\AppData\Local\Temp\mtsotp.exe" C:\Users\Admin\AppData\Local\Temp\lwqfquz.nc
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Users\Admin\AppData\Local\Temp\mtsotp.exe
        "C:\Users\Admin\AppData\Local\Temp\mtsotp.exe" C:\Users\Admin\AppData\Local\Temp\lwqfquz.nc
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bzpeuniie.p
    Filesize

    295KB

    MD5

    496f336ad96ed901757199597ed29a8d

    SHA1

    09e89adc879aeeca2ac5bb5086a40f9bc83554b4

    SHA256

    07ed4dc2c1cd067c5dab0e8cc252a82b0c305eecce40f25052e06f128bed9ee0

    SHA512

    5b1778b4c919bf4858e85f25cad2fcbaca727444ee1cefa79d2dc698e1a7cbf8fab8e35c2512744ed6f46104ab14879ae74a031fce242250d47164ce79c2b15a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lwqfquz.nc
    Filesize

    5KB

    MD5

    7eb0a236fb43d768410e5c3bb95611a6

    SHA1

    7f8a16b509031827c9a3be00b09c8ba123deb46f

    SHA256

    7613f2f3548b9188683477673897e90ccde6555b20970d1bf960e93d36d0566d

    SHA512

    d077c4db043e0eda5f6e2056a43ba936c1c4b237f472793d85804665a98029e0f162d100d2935d2eb3a902be8b3c2b71a00e8b4505f3f7b2ed8411ad05d66a17

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\mtsotp.exe
    Filesize

    332KB

    MD5

    448629f713a637632bc9b73f52a1a742

    SHA1

    6f0edc468fc0f658c75c7177a01091350e0c3ccd

    SHA256

    bd797011bcb6d0aa6b743badc1305634fe000e4ace72b812f4346d3994643d39

    SHA512

    e941740338fce359fd87dd25eab3a55c335ad1dd358e9352420a695d202a6f541dbf7531f59de40d61cadba688df0916fcb5aade5b80d54b817e5138731886d1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\mtsotp.exe
    Filesize

    332KB

    MD5

    448629f713a637632bc9b73f52a1a742

    SHA1

    6f0edc468fc0f658c75c7177a01091350e0c3ccd

    SHA256

    bd797011bcb6d0aa6b743badc1305634fe000e4ace72b812f4346d3994643d39

    SHA512

    e941740338fce359fd87dd25eab3a55c335ad1dd358e9352420a695d202a6f541dbf7531f59de40d61cadba688df0916fcb5aade5b80d54b817e5138731886d1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\mtsotp.exe
    Filesize

    332KB

    MD5

    448629f713a637632bc9b73f52a1a742

    SHA1

    6f0edc468fc0f658c75c7177a01091350e0c3ccd

    SHA256

    bd797011bcb6d0aa6b743badc1305634fe000e4ace72b812f4346d3994643d39

    SHA512

    e941740338fce359fd87dd25eab3a55c335ad1dd358e9352420a695d202a6f541dbf7531f59de40d61cadba688df0916fcb5aade5b80d54b817e5138731886d1

    Download Submit
  • \Users\Admin\AppData\Local\Temp\mtsotp.exe
    Filesize

    332KB

    MD5

    448629f713a637632bc9b73f52a1a742

    SHA1

    6f0edc468fc0f658c75c7177a01091350e0c3ccd

    SHA256

    bd797011bcb6d0aa6b743badc1305634fe000e4ace72b812f4346d3994643d39

    SHA512

    e941740338fce359fd87dd25eab3a55c335ad1dd358e9352420a695d202a6f541dbf7531f59de40d61cadba688df0916fcb5aade5b80d54b817e5138731886d1

    Download Submit
  • \Users\Admin\AppData\Local\Temp\mtsotp.exe
    Filesize

    332KB

    MD5

    448629f713a637632bc9b73f52a1a742

    SHA1

    6f0edc468fc0f658c75c7177a01091350e0c3ccd

    SHA256

    bd797011bcb6d0aa6b743badc1305634fe000e4ace72b812f4346d3994643d39

    SHA512

    e941740338fce359fd87dd25eab3a55c335ad1dd358e9352420a695d202a6f541dbf7531f59de40d61cadba688df0916fcb5aade5b80d54b817e5138731886d1

    Download Submit
  • memory/268-63-0x0000000000401896-mapping.dmp
    Download
  • memory/268-66-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/268-67-0x0000000004420000-0x000000000445C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/948-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1960-54-0x0000000075D11000-0x0000000075D13000-memory.dmp
    Filesize

    8KB

    Download