Analysis

  • max time kernel
    122s
  • max time network
    170s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-07-2021 08:14

General

  • Target

    Payment $67,830.00.exe

  • Size

    690KB

  • MD5

    df77aaa6e3e3aa36d253ef893063452f

  • SHA1

    db0f0750d0bbe620db17a719f74c06746a2e05de

  • SHA256

    0e50b895ed10c7cc4ecab501bf363451c24b654e3c3da3ef889a6bd13856bd12

  • SHA512

    1d31dd3e1bb6cc0b2f7b50d592084083fcf4eee05665589216669eb777ae7470f91d0839ae2caba82f84f727ea2218e7860899f1f8023c80e12c7acccbd81106

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.vivaldi.net
  • Port:
    587
  • Username:
    billions101@vivaldi.net
  • Password:
    Great#@#$12909()*&^

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment $67,830.00.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment $67,830.00.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Local\Temp\Payment $67,830.00.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment $67,830.00.exe"
      2⤵
        PID:720
      • C:\Users\Admin\AppData\Local\Temp\Payment $67,830.00.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment $67,830.00.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1188

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1188-65-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

    • memory/1188-66-0x00000000004374DE-mapping.dmp
    • memory/1188-67-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

    • memory/1188-69-0x0000000002290000-0x0000000002291000-memory.dmp
      Filesize

      4KB

    • memory/2016-59-0x0000000000A40000-0x0000000000A41000-memory.dmp
      Filesize

      4KB

    • memory/2016-61-0x0000000004C90000-0x0000000004C91000-memory.dmp
      Filesize

      4KB

    • memory/2016-62-0x00000000004F0000-0x000000000050B000-memory.dmp
      Filesize

      108KB

    • memory/2016-63-0x0000000005FC0000-0x0000000006037000-memory.dmp
      Filesize

      476KB

    • memory/2016-64-0x0000000004E10000-0x0000000004E4D000-memory.dmp
      Filesize

      244KB