Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 15:21
Static task
static1
Behavioral task
behavioral1
Sample
Scanned copy invoice.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Scanned copy invoice.exe
Resource
win10v2004-20240802-en
General
-
Target
Scanned copy invoice.exe
-
Size
429KB
-
MD5
2bffa0ee481c114fbae3dd11de379253
-
SHA1
32192f93fa6650bfc4eb01c0a2731c6fcc3050c3
-
SHA256
5e8cf7376d24c9637309a847c15ca2fc080d016d91b656dd8adc61f3d7d71abc
-
SHA512
1d1d74155b7ce5efab02e5fbc6f913daac6afe2645880feb70a65d0dfa47508e514f6ba52d059911f4a330bf99f30e6f1a1f7844f53a1b2468568f8c05817a7b
-
SSDEEP
6144:DZm49UNNMYc+5TdyfZjx1WWiOXbSHtBt3pt7MTa:19VA5TuZjx1WeGBt3/
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ereglitso.org.tr - Port:
587 - Username:
[email protected] - Password:
=itbvqD+KGPp
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral2/memory/3472-16-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
System Binary Proxy Execution: InstallUtil 1 TTPs 2 IoCs
Abuse InstallUtil to proxy execution of malicious code.
description ioc Process Key opened \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\InstallUtil.exe Scanned copy invoice.exe File created C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe Scanned copy invoice.exe -
Executes dropped EXE 1 IoCs
pid Process 3472 InstallUtil.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/4360-2-0x0000000003320000-0x0000000003334000-memory.dmp agile_net -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4360 set thread context of 3472 4360 Scanned copy invoice.exe 89 -
Program crash 1 IoCs
pid pid_target Process procid_target 4016 3472 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Scanned copy invoice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4360 Scanned copy invoice.exe 4360 Scanned copy invoice.exe 4360 Scanned copy invoice.exe 3472 InstallUtil.exe 3472 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4360 Scanned copy invoice.exe Token: SeDebugPrivilege 3472 InstallUtil.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4360 wrote to memory of 3472 4360 Scanned copy invoice.exe 89 PID 4360 wrote to memory of 3472 4360 Scanned copy invoice.exe 89 PID 4360 wrote to memory of 3472 4360 Scanned copy invoice.exe 89 PID 4360 wrote to memory of 3472 4360 Scanned copy invoice.exe 89 PID 4360 wrote to memory of 3472 4360 Scanned copy invoice.exe 89 PID 4360 wrote to memory of 3472 4360 Scanned copy invoice.exe 89 PID 4360 wrote to memory of 3472 4360 Scanned copy invoice.exe 89 PID 4360 wrote to memory of 3472 4360 Scanned copy invoice.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scanned copy invoice.exe"C:\Users\Admin\AppData\Local\Temp\Scanned copy invoice.exe"1⤵
- System Binary Proxy Execution: InstallUtil
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 13563⤵
- Program crash
PID:4016
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3472 -ip 34721⤵PID:2280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159