Overview

overview

10

Static

static

3

new invoice.exe

windows7-x64

10

new invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2023, 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    new invoice.exe

  • Size

    631KB

  • MD5

    becf866a427725c60201053c7ad2fc2b

  • SHA1

    d1349e123509e8ddb230f23f8d4f2459aa67e545

  • SHA256

    64898357ce95b4c3c20b0e219efcf4d2f9c894f0e46160e11e49a54e3420b4e0

  • SHA512

    9b0abc09c8629877e33d13a5c8d6d3819d0f8536b6dd4a4b819743deb525abf945ef14cd79c965978ed29ec6fd81cbaca2e96fb9cd97c067d7453fdc4eb11cb2

  • SSDEEP

    12288:M6WHdn7wwCD7PRQZ9Y5NMGdk2bt+DwcZqgp/k6CIoM:MtHl0pH5QZ9PCJ+k8qWk6CDM

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\new invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\new invoice.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4260
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 1980
        3⤵
        • Program crash
        PID:4484
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4260 -ip 4260
    1⤵
      PID:4008

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1836-8-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-10-0x0000000006380000-0x00000000063FA000-memory.dmp

      Filesize

      488KB

      Download

    • memory/1836-2-0x00000000050D0000-0x0000000005674000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1836-3-0x0000000004B20000-0x0000000004BB2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1836-4-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-5-0x0000000004AE0000-0x0000000004AEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1836-6-0x0000000004D70000-0x0000000004D7E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1836-7-0x0000000074D00000-0x00000000754B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1836-0-0x0000000000040000-0x00000000000E4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/1836-1-0x0000000074D00000-0x00000000754B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1836-9-0x00000000050B0000-0x00000000050BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1836-11-0x00000000089E0000-0x0000000008A7C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1836-14-0x0000000074D00000-0x00000000754B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4260-12-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/4260-15-0x0000000074D00000-0x00000000754B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4260-16-0x0000000005720000-0x0000000005730000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4260-17-0x00000000058A0000-0x0000000005906000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4260-18-0x0000000074D00000-0x00000000754B0000-memory.dmp

      Filesize

      7.7MB

      Download