Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
23-05-2024 04:07
General
-
Target
pro-forma invoice.xlsm.exe
-
Size
2.2MB
-
MD5
7f673b101bf26081c7e9a07afb60208d
-
SHA1
7d875b5fa96cb98a12290dac8f78f32b321023c4
-
SHA256
b0dcb9ceb001f6ea05b3163e56783cfe2028357129eb7db516d28e88acd9845b
-
SHA512
59e218de90db1e498239ec9cdd129b595b58cc5f2e4da6b1a142b654ef1ad8ad21679c1714180ad28cf4163c39ba093f829ec7fb9bbda6577b3b026dd6aac2a5
-
SSDEEP
49152:Ya3RyYkdvQ0RKgfPj6eKgT24yYqYu+lste0NENnxIj0i7wClms:YwyjI0RKgfb6eKgTgXp+lst21x5Clms
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.spia-indonesia.org - Port:
587 - Username:
[email protected] - Password:
Looloo123@# - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\pro-forma invoice.xlsm.exe"C:\Users\Admin\AppData\Local\Temp\pro-forma invoice.xlsm.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pro-forma invoice.xlsm.exe"C:\Users\Admin\AppData\Local\Temp\pro-forma invoice.xlsm.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1440-0-0x000000007405E000-0x000000007405F000-memory.dmpFilesize
4KB
-
memory/1440-1-0x0000000000E30000-0x0000000001076000-memory.dmpFilesize
2.3MB
-
memory/1440-2-0x0000000074050000-0x000000007473E000-memory.dmpFilesize
6.9MB
-
memory/1440-3-0x0000000004F30000-0x0000000005160000-memory.dmpFilesize
2.2MB
-
memory/1440-4-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-19-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-21-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-27-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-25-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-23-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-17-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-15-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-31-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-29-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-13-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-11-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-33-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-9-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-7-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-5-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-35-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-37-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-39-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-41-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-43-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-45-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-47-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-53-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-51-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-49-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-55-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-57-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-59-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-61-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-63-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-65-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-67-0x0000000004F30000-0x000000000515A000-memory.dmpFilesize
2.2MB
-
memory/1440-4890-0x0000000074050000-0x000000007473E000-memory.dmpFilesize
6.9MB
-
memory/1440-4891-0x0000000004880000-0x00000000048EC000-memory.dmpFilesize
432KB
-
memory/1440-4892-0x0000000000A90000-0x0000000000ADC000-memory.dmpFilesize
304KB
-
memory/1440-4893-0x000000007405E000-0x000000007405F000-memory.dmpFilesize
4KB
-
memory/1440-4894-0x0000000074050000-0x000000007473E000-memory.dmpFilesize
6.9MB
-
memory/1440-4895-0x0000000000C00000-0x0000000000C54000-memory.dmpFilesize
336KB
-
memory/1440-4910-0x0000000074050000-0x000000007473E000-memory.dmpFilesize
6.9MB
-
memory/2616-4912-0x0000000074050000-0x000000007473E000-memory.dmpFilesize
6.9MB
-
memory/2616-4911-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2616-4913-0x0000000074050000-0x000000007473E000-memory.dmpFilesize
6.9MB
-
memory/2616-4915-0x0000000074050000-0x000000007473E000-memory.dmpFilesize
6.9MB