Overview

overview

10

Static

static

3

INVOICE_MA...24.exe

windows7-x64

10

INVOICE_MA...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INVOICE_MAY-888201-2024.exe

  • Size

    917KB

  • MD5

    a362350a60490b6010c41ffe84f78ce6

  • SHA1

    a24ade8b3223cfcce28218b812735341852ef15b

  • SHA256

    3d18d539bce573477ec1562c88686d43dbdfe29c4556946af482c3e5aa2e9e75

  • SHA512

    5297e4fb3d52862ac979bbf6d504fcdffb84b2a3457356ba8c2ac97064ef36f03906c00c78c94cf820f097d5f400ad6a56607bd75331a0311374e8c9e898cd56

  • SSDEEP

    12288:c/ZitHOWilim4McpWg0CA3tSwXUVlWXQw0:SZiBOWib4vpWgUlXdf

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.ipr-co.org
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    IPRco@100102@

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INVOICE_MAY-888201-2024.exe
    "C:\Users\Admin\AppData\Local\Temp\INVOICE_MAY-888201-2024.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Users\Admin\AppData\Local\Temp\INVOICE_MAY-888201-2024.exe
      "C:\Users\Admin\AppData\Local\Temp\INVOICE_MAY-888201-2024.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE_MAY-888201-2024.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit

  • memory/3768-10-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3768-18-0x00000000747D0000-0x0000000074F80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3768-17-0x0000000006170000-0x00000000061C0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3768-15-0x00000000747D0000-0x0000000074F80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3768-16-0x0000000005340000-0x00000000053A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3768-13-0x00000000747D0000-0x0000000074F80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3912-4-0x0000000005880000-0x000000000588A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3912-8-0x0000000007490000-0x0000000007512000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3912-9-0x0000000009B30000-0x0000000009BCC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3912-7-0x0000000007130000-0x0000000007140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3912-6-0x0000000005BF0000-0x0000000005C0A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3912-5-0x00000000747D0000-0x0000000074F80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3912-14-0x00000000747D0000-0x0000000074F80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3912-0-0x00000000747DE000-0x00000000747DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3912-3-0x00000000057C0000-0x0000000005852000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3912-2-0x0000000005CC0000-0x0000000006264000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3912-1-0x0000000000D30000-0x0000000000E1C000-memory.dmp

    Filesize

    944KB

    Download