Overview

overview

10

Static

static

3

new invoice.exe

windows7-x64

10

new invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-03-2024 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    new invoice.exe

  • Size

    743KB

  • MD5

    f52a3af798452ba8064246c1c05fca48

  • SHA1

    66327142382aac09b7b954a860a778e8921f3bfc

  • SHA256

    1ed60fc77b07f949a7cc3ced2dd0e0de84ce806a5ebb71d7fc51f31323f2b928

  • SHA512

    8520039308ec25ad01a08395bf875757d060ed4702561c001cd57430a660924afaedee8ac441148fce32562bd68fbecdd9675066842e2091a24800ccaee2fa12

  • SSDEEP

    12288:yBCAygw0Jxx2Nhy5BZvSkFleJSQEiqC1cS7Zx2DRZL6mJ5DTCa0mY:yRj3xky5vFIVqC19ZxsCmXCsY

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\new invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\new invoice.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\new invoice.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2284
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LuPGIUTRrkvtes.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2860
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LuPGIUTRrkvtes" /XML "C:\Users\Admin\AppData\Local\Temp\tmp84C9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2548
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:2492
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2928

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp84C9.tmp
      Filesize

      1KB

      MD5

      b8ad3bb209acc4f5fe30006d71440655

      SHA1

      d415b7f75b53ec0cc4247f4c9c91cc0221ade31e

      SHA256

      97e027063a2d3b4742ea671960b07338b6d3b152c889eebe319c60896b7dbe62

      SHA512

      f0235557b2e50e070857bb42453b10c55b8cf868758e370182d0ec7376165ce55d46aa688f46ae53cbce3e630b0f4b6c3933c46b4270971a329e807e047bb4ee

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      a7e69ed5b369f2e86d4d48d841f1ac0c

      SHA1

      402f9420069934a5b41d187871e6cf32c0d80175

      SHA256

      acaf1ddf5f516b13a55d33f733cc8c4c4f588ed8659cdcc16e8f8fb31b293e6d

      SHA512

      1ec5cf011484f4d2665f1787b5058cecd12804a4fc101748d73634b5b4277f0092bc64639a9a9ec9b7e215d9052bcc0a4a39ce8dfd90aa88326fe9bacb889f3c

      Download Submit

    • memory/1976-0-0x00000000001A0000-0x0000000000260000-memory.dmp

      Filesize

      768KB

      Download

    • memory/1976-1-0x0000000074BA0000-0x000000007528E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1976-2-0x0000000004C40000-0x0000000004C80000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1976-3-0x0000000000720000-0x0000000000732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1976-4-0x0000000000740000-0x000000000074C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1976-5-0x0000000005420000-0x00000000054A2000-memory.dmp

      Filesize

      520KB

      Download

    • memory/1976-39-0x0000000074BA0000-0x000000007528E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2284-23-0x00000000026F0000-0x0000000002730000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2284-21-0x000000006F940000-0x000000006FEEB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2284-44-0x000000006F940000-0x000000006FEEB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2284-18-0x000000006F940000-0x000000006FEEB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2284-37-0x00000000026F0000-0x0000000002730000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2860-36-0x00000000024A0000-0x00000000024E0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2860-22-0x00000000024A0000-0x00000000024E0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2860-19-0x000000006F940000-0x000000006FEEB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2860-20-0x00000000024A0000-0x00000000024E0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2860-45-0x000000006F940000-0x000000006FEEB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2928-26-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2928-34-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2928-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2928-38-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2928-30-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2928-41-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2928-42-0x0000000074BA0000-0x000000007528E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2928-43-0x0000000000CD0000-0x0000000000D10000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2928-28-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2928-24-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2928-46-0x0000000074BA0000-0x000000007528E000-memory.dmp

      Filesize

      6.9MB

      Download