Overview

overview

10

Static

static

1

Overdue Invoices.exe

windows10-2004-x64

10

Befingring...nt.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    294s
  • max time network
    297s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-03-2024 04:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Overdue Invoices.exe

  • Size

    628KB

  • MD5

    96ae0e3a6a1553a97db15f694815c87f

  • SHA1

    1f64598e9643bfc0fbc851f223e32ddad72c612d

  • SHA256

    4490ebc3a2c6260e09ef8f4f71c08a7afc809630e56ec9e8e215a04935bb0394

  • SHA512

    f0e2979e615f95d157ca2fd6697ec6650c61f7af2aef4d4d11942796eb87776cbb93c382c031abfb8c691907dc48beaa9282ed0eb32485d1bfb0ef5d03015af9

  • SSDEEP

    12288:w38j5o5+HbWsXnE0QlpEMDmF691VC1gqMhtD4dW87cvvss5qZZsN:w3+bWsXZAPq63M1fMhtMDcvvssAsN

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Overdue Invoices.exe
    "C:\Users\Admin\AppData\Local\Temp\Overdue Invoices.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -windowstyle hidden "$Undgaaelsers=Get-Content 'C:\Users\Admin\AppData\Local\Butikstidens150\heluldent\retrtens\Befingringernes\Souchie\indlsninger\Casement.Sub';$Inferably=$Undgaaelsers.SubString(55257,3);.$Inferably($Undgaaelsers)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
        3⤵
          PID:2176
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2288
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3680 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1748

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Butikstidens150\heluldent\retrtens\Befingringernes\Souchie\indlsninger\Casement.Sub
        Filesize

        54KB

        MD5

        0cd34cacd66cdbb2fc2efb1dfb83660b

        SHA1

        9e5099e40637ec5cea43b20290632225bb42d61c

        SHA256

        f41193f6e9bae66ed39755f91bebb1e5183afcd52d3afca61eaeda1ed6e0e153

        SHA512

        2d97c2370d368d66a9c09f2d86b4be2e3a6db7d8d6ead6313bb3b7da87bf465ea24cb8f2575e08b23e467740b6e1f95983229e63937e90419f0e6bd678f3cc02

        Download Submit

      • C:\Users\Admin\AppData\Local\Butikstidens150\heluldent\retrtens\Terminis\Unillusive176\unhaggling.Kon
        Filesize

        325KB

        MD5

        79813c0a53e8febd326d58f886c4aab4

        SHA1

        56bfcda6894a4545618c15198b95c9721c4a21f0

        SHA256

        a5bdd3091a90e23d7bf7350f9aba9720779f2c02913f6e7930f660ea0982b9e5

        SHA512

        f8bc609df038dfd318e0cd1b7fd8d87f483b35c93c52562cb8e7079bef718154d1215075a87409b65999720776a589ac153f36aaf04a8d52bbd7096ab2edaf43

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_he3cm2zr.2k1.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/2288-56-0x00000000007E0000-0x0000000000824000-memory.dmp

        Filesize

        272KB

        Download

      • memory/2288-59-0x00000000207F0000-0x0000000020800000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2288-58-0x00000000740D0000-0x0000000074880000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2288-61-0x0000000021450000-0x00000000214A0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2288-63-0x00000000740D0000-0x0000000074880000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2288-55-0x0000000001A40000-0x0000000002B7C000-memory.dmp

        Filesize

        17.2MB

        Download

      • memory/2288-53-0x00000000007E0000-0x0000000001A34000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2288-49-0x0000000077D31000-0x0000000077E51000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2288-48-0x0000000077DB8000-0x0000000077DB9000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2288-47-0x0000000001A40000-0x0000000002B7C000-memory.dmp

        Filesize

        17.2MB

        Download

      • memory/2288-65-0x00000000207F0000-0x0000000020800000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2500-25-0x00000000062F0000-0x000000000633C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2500-46-0x0000000008B40000-0x0000000009C7C000-memory.dmp

        Filesize

        17.2MB

        Download

      • memory/2500-29-0x0000000006800000-0x0000000006822000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2500-32-0x00000000084C0000-0x0000000008B3A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2500-34-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2500-28-0x00000000067B0000-0x00000000067CA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2500-36-0x00000000077D0000-0x00000000077D4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2500-37-0x00000000740D0000-0x0000000074880000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2500-38-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2500-39-0x0000000008B40000-0x0000000009C7C000-memory.dmp

        Filesize

        17.2MB

        Download

      • memory/2500-40-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2500-41-0x0000000008B40000-0x0000000009C7C000-memory.dmp

        Filesize

        17.2MB

        Download

      • memory/2500-43-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2500-44-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2500-45-0x0000000077D31000-0x0000000077E51000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2500-30-0x0000000007890000-0x0000000007E34000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2500-27-0x0000000007240000-0x00000000072D6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2500-26-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2500-7-0x00000000740D0000-0x0000000074880000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2500-24-0x0000000006210000-0x000000000622E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2500-54-0x00000000740D0000-0x0000000074880000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2500-19-0x0000000005C50000-0x0000000005FA4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2500-13-0x0000000005BE0000-0x0000000005C46000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2500-12-0x0000000005B70000-0x0000000005BD6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2500-57-0x0000000008B40000-0x0000000009C7C000-memory.dmp

        Filesize

        17.2MB

        Download

      • memory/2500-11-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2500-10-0x0000000005430000-0x0000000005A58000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2500-9-0x0000000002C70000-0x0000000002CA6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2500-8-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download