Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 16:21
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT INVOICE.BAT.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
PAYMENT INVOICE.BAT.exe
Resource
win10v2004-20231130-en
General
-
Target
PAYMENT INVOICE.BAT.exe
-
Size
639KB
-
MD5
78cdd7631daa770440ea9fa871fd8d63
-
SHA1
7a3e6d5992612d2f7b98d35f8ab2d96aa1950f61
-
SHA256
8d1d78a3ed7da56ab5783ebcc5e7c0b22921179f3d124aa7511bb952d199ef2b
-
SHA512
c915fe8ddc1e3b90d4e53ba30dd30336ef8a45843dff42413300c44ac0d67a82c92565efe9df2f8b8aeb59e15adc2942eeed7bec24292170236b9e4d704690f4
-
SSDEEP
12288:jE0QaueH5qRILAmLngh9QDBSfKaPUD2vNkbMRYjWOx:jE4qRILAmmuAOD/bMvO
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6217230824:AAFCGEN5vk1xCq7NOzRdvuxKD2rS56-qo2g/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 3 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PAYMENT INVOICE.BAT.exedescription pid process target process PID 1344 set thread context of 2104 1344 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
PAYMENT INVOICE.BAT.exepowershell.exepid process 2104 PAYMENT INVOICE.BAT.exe 2104 PAYMENT INVOICE.BAT.exe 1676 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PAYMENT INVOICE.BAT.exepowershell.exedescription pid process Token: SeDebugPrivilege 2104 PAYMENT INVOICE.BAT.exe Token: SeDebugPrivilege 1676 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
PAYMENT INVOICE.BAT.exedescription pid process target process PID 1344 wrote to memory of 1676 1344 PAYMENT INVOICE.BAT.exe powershell.exe PID 1344 wrote to memory of 1676 1344 PAYMENT INVOICE.BAT.exe powershell.exe PID 1344 wrote to memory of 1676 1344 PAYMENT INVOICE.BAT.exe powershell.exe PID 1344 wrote to memory of 1676 1344 PAYMENT INVOICE.BAT.exe powershell.exe PID 1344 wrote to memory of 2104 1344 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 1344 wrote to memory of 2104 1344 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 1344 wrote to memory of 2104 1344 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 1344 wrote to memory of 2104 1344 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 1344 wrote to memory of 2104 1344 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 1344 wrote to memory of 2104 1344 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 1344 wrote to memory of 2104 1344 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 1344 wrote to memory of 2104 1344 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe PID 1344 wrote to memory of 2104 1344 PAYMENT INVOICE.BAT.exe PAYMENT INVOICE.BAT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT INVOICE.BAT.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676