Analysis
-
max time kernel
116s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 12:14
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE-BUO2300000.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
INVOICE-BUO2300000.exe
Resource
win10v2004-20240226-en
General
-
Target
INVOICE-BUO2300000.exe
-
Size
774KB
-
MD5
aca3eeaff7c67d96a626259d3d73a20f
-
SHA1
cfe7c18b3c77c968e0c4dde45072b3771dfe9ad0
-
SHA256
da6f3f1f642c13d2b7bf4c86e2686c5e1b606dbe0838423998c15742940545e9
-
SHA512
c406f0d0be44f329237040f163988b82aa83f94aad6fb88500ac4d54fd6f4739031ed7954a0b7ef4d07df488730e20f9ddeebbb44725e16180f97ee08e3e4b4f
-
SSDEEP
12288:Yefdsbuw0Wa95Em6E3/+Bpglgh+zIGznQNVZCJ/dzpTt+bwSKu:qU3B/Bo+z/+VO
Malware Config
Extracted
Protocol: smtp- Host:
mail.ipr-co.org - Port:
587 - Username:
[email protected] - Password:
IPRco@100102@
Extracted
agenttesla
Protocol: smtp- Host:
mail.ipr-co.org - Port:
587 - Username:
[email protected] - Password:
IPRco@100102@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2044 set thread context of 3612 2044 INVOICE-BUO2300000.exe 103 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3612 INVOICE-BUO2300000.exe 3612 INVOICE-BUO2300000.exe 3612 INVOICE-BUO2300000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3612 INVOICE-BUO2300000.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2044 wrote to memory of 3612 2044 INVOICE-BUO2300000.exe 103 PID 2044 wrote to memory of 3612 2044 INVOICE-BUO2300000.exe 103 PID 2044 wrote to memory of 3612 2044 INVOICE-BUO2300000.exe 103 PID 2044 wrote to memory of 3612 2044 INVOICE-BUO2300000.exe 103 PID 2044 wrote to memory of 3612 2044 INVOICE-BUO2300000.exe 103 PID 2044 wrote to memory of 3612 2044 INVOICE-BUO2300000.exe 103 PID 2044 wrote to memory of 3612 2044 INVOICE-BUO2300000.exe 103 PID 2044 wrote to memory of 3612 2044 INVOICE-BUO2300000.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE-BUO2300000.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE-BUO2300000.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\INVOICE-BUO2300000.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE-BUO2300000.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2352 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:81⤵PID:3748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3