Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 08:19
Static task
static1
Behavioral task
behavioral1
Sample
proforma invoice.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
proforma invoice.exe
Resource
win10v2004-20240802-en
General
-
Target
proforma invoice.exe
-
Size
474KB
-
MD5
b79c749616e332aa98dff35091bc7ddb
-
SHA1
e853d7048efcef7e7c8259e92000d8efca9b66af
-
SHA256
c9b3d6a92282d003ae960076c147e224c8064fd98229c96df353948dc685237b
-
SHA512
156b627138e939abd3b5432783643502d021fcdd0b805380c4f8ce406aa16b06f9b2f09edb62865378c454197cb9f6c9747ec6803078f1fbc2b5935047589ad3
-
SSDEEP
12288:LDuUPu3qK0V5f5f5fGRRv5Bt9fcqg8ZVGD9PfCp3pP+KNOQgIMXKy5xU:nuiZZGRRfZkUtV+xf6y
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
business41.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
london1759
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 5 IoCs
resource yara_rule behavioral1/memory/2424-15-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/2424-23-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/2424-21-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/2424-19-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/2424-13-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 proforma invoice.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 proforma invoice.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 proforma invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2208 set thread context of 2424 2208 proforma invoice.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language proforma invoice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language proforma invoice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3056 netsh.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 604 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2424 proforma invoice.exe 2424 proforma invoice.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2424 proforma invoice.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2424 proforma invoice.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2208 wrote to memory of 604 2208 proforma invoice.exe 31 PID 2208 wrote to memory of 604 2208 proforma invoice.exe 31 PID 2208 wrote to memory of 604 2208 proforma invoice.exe 31 PID 2208 wrote to memory of 604 2208 proforma invoice.exe 31 PID 2208 wrote to memory of 2424 2208 proforma invoice.exe 33 PID 2208 wrote to memory of 2424 2208 proforma invoice.exe 33 PID 2208 wrote to memory of 2424 2208 proforma invoice.exe 33 PID 2208 wrote to memory of 2424 2208 proforma invoice.exe 33 PID 2208 wrote to memory of 2424 2208 proforma invoice.exe 33 PID 2208 wrote to memory of 2424 2208 proforma invoice.exe 33 PID 2208 wrote to memory of 2424 2208 proforma invoice.exe 33 PID 2208 wrote to memory of 2424 2208 proforma invoice.exe 33 PID 2208 wrote to memory of 2424 2208 proforma invoice.exe 33 PID 2424 wrote to memory of 3056 2424 proforma invoice.exe 35 PID 2424 wrote to memory of 3056 2424 proforma invoice.exe 35 PID 2424 wrote to memory of 3056 2424 proforma invoice.exe 35 PID 2424 wrote to memory of 3056 2424 proforma invoice.exe 35 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 proforma invoice.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 proforma invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yGgQPFWIoVqeWq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD9BC.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:604
-
-
C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2424 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3056
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ad830cd4d2cece4dee7be584e0ef7df8
SHA1b470c5484fb34f3738d22fd2d4471a6da28b47b3
SHA256b073b47be08c7858f204f8e3e91dfb0a4d4c0d829ff2a6c0606f8f5f23182ae5
SHA512b71e5c6ded68294b0ce5d11eb04a4fee995b3f9a300f234472617b80f9ca0f35aade59f658834261e6098e34e37d265d54006290f4ac01e5371d25e9cfc952a5