Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
139s -
platform
windows10_x64 -
resource
win10 -
submitted
13/07/2020, 06:36
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip.exe
Resource
win7
Behavioral task
behavioral2
Sample
Payment Slip.exe
Resource
win10
General
-
Target
Payment Slip.exe
-
Size
952KB
-
MD5
660f8c58cc4dc37f7e989f962e321073
-
SHA1
92600595d5c27f3d0e0de6880e7934cba2dff3cc
-
SHA256
0e231e55790532d2097e3ebe446aa7faf319dafe60f48bd12431c6e2ccb80eaa
-
SHA512
8af4947ca9170f82bba4b8234749148827f9b90db49b47d3c349429ef5af4665607d8b709adf1fd26da994fbacbe4fe362328cb9b6704b2e4d03945d35fc33e4
Malware Config
Extracted
Protocol: smtp- Host:
smtp.desmaindian.com - Port:
587 - Username:
[email protected] - Password:
!hTnTvF5
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3876 Payment Slip.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\well.vbs notepad.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3612 Payment Slip.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3612 set thread context of 3876 3612 Payment Slip.exe 68 -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
resource yara_rule behavioral2/memory/3876-1-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/3876-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/3876-4-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3612 Payment Slip.exe 3612 Payment Slip.exe 3876 Payment Slip.exe 3876 Payment Slip.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3612 wrote to memory of 3736 3612 Payment Slip.exe 67 PID 3612 wrote to memory of 3736 3612 Payment Slip.exe 67 PID 3612 wrote to memory of 3736 3612 Payment Slip.exe 67 PID 3612 wrote to memory of 3736 3612 Payment Slip.exe 67 PID 3612 wrote to memory of 3736 3612 Payment Slip.exe 67 PID 3612 wrote to memory of 3876 3612 Payment Slip.exe 68 PID 3612 wrote to memory of 3876 3612 Payment Slip.exe 68 PID 3612 wrote to memory of 3876 3612 Payment Slip.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
PID:3736
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3876
-