Analysis
-
max time kernel
151s -
max time network
91s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 18:26
Static task
static1
Behavioral task
behavioral1
Sample
RECEIPT.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RECEIPT.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
RECEIPT.exe
-
Size
647KB
-
MD5
ef9873675db5ead478d4df49e58db6d5
-
SHA1
21420c8d117c1ab188949ccaf024d6ad3f226d5d
-
SHA256
4179d8fb0428a4de8a32d90e394f34540e2003b397523a062e27ed37902dafa5
-
SHA512
06b8a0a40e2acee58957a273d16f1ad678df85be94668c88e5a356f9d3763e9ae09a9a4d21d6791eb014ccbc04e7a8ecc0bb1d7516132d222776c2dd64768a47
Score
10/10
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1720-9-0x0000000000400000-0x000000000044D000-memory.dmp family_agenttesla -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
RECEIPT.exeRECEIPT.exeRECEIPT.exedescription pid process target process PID 1096 wrote to memory of 1128 1096 RECEIPT.exe RECEIPT.exe PID 1096 wrote to memory of 1128 1096 RECEIPT.exe RECEIPT.exe PID 1096 wrote to memory of 1128 1096 RECEIPT.exe RECEIPT.exe PID 1096 wrote to memory of 1128 1096 RECEIPT.exe RECEIPT.exe PID 1128 wrote to memory of 1724 1128 RECEIPT.exe RECEIPT.exe PID 1128 wrote to memory of 1724 1128 RECEIPT.exe RECEIPT.exe PID 1128 wrote to memory of 1724 1128 RECEIPT.exe RECEIPT.exe PID 1128 wrote to memory of 1724 1128 RECEIPT.exe RECEIPT.exe PID 1724 wrote to memory of 1720 1724 RECEIPT.exe RECEIPT.exe PID 1724 wrote to memory of 1720 1724 RECEIPT.exe RECEIPT.exe PID 1724 wrote to memory of 1720 1724 RECEIPT.exe RECEIPT.exe PID 1724 wrote to memory of 1720 1724 RECEIPT.exe RECEIPT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe"C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe"C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe"C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe"C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe"4⤵PID:1720
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1096-2-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/1128-3-0x0000000000000000-mapping.dmp
-
memory/1720-7-0x0000000000000000-mapping.dmp
-
memory/1720-9-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB
-
memory/1724-5-0x0000000000000000-mapping.dmp