Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
20-10-2021 11:05
Static task
static1
Behavioral task
behavioral1
Sample
Payment slip.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Payment slip.exe
Resource
win10-en-20211014
General
-
Target
Payment slip.exe
-
Size
428KB
-
MD5
d85599a4afd0e04420fcaea0e7873608
-
SHA1
9f6a9f1ebae2a0668b9e25cd58beaaff31d33def
-
SHA256
28d5e6cd0519719ea136a6227cb4a5d598bf3bef2d317c0edc64bc059feaa3d3
-
SHA512
71f6aa47ca46d89e9a1187205eeb6cc29d9bc835b7058462889548aeab4c944aac1dc7561237b5f3add1ac1260aae7654ff83115cb51690d7e823c3c3470f3bc
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
Everest10
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/436-62-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/436-64-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/436-65-0x0000000000436D3E-mapping.dmp family_agenttesla behavioral1/memory/436-63-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/436-66-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Payment slip.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment slip.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment slip.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment slip.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment slip.exedescription pid process target process PID 1128 set thread context of 436 1128 Payment slip.exe Payment slip.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Payment slip.exepid process 436 Payment slip.exe 436 Payment slip.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment slip.exedescription pid process Token: SeDebugPrivilege 436 Payment slip.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Payment slip.exedescription pid process target process PID 1128 wrote to memory of 436 1128 Payment slip.exe Payment slip.exe PID 1128 wrote to memory of 436 1128 Payment slip.exe Payment slip.exe PID 1128 wrote to memory of 436 1128 Payment slip.exe Payment slip.exe PID 1128 wrote to memory of 436 1128 Payment slip.exe Payment slip.exe PID 1128 wrote to memory of 436 1128 Payment slip.exe Payment slip.exe PID 1128 wrote to memory of 436 1128 Payment slip.exe Payment slip.exe PID 1128 wrote to memory of 436 1128 Payment slip.exe Payment slip.exe PID 1128 wrote to memory of 436 1128 Payment slip.exe Payment slip.exe PID 1128 wrote to memory of 436 1128 Payment slip.exe Payment slip.exe -
outlook_office_path 1 IoCs
Processes:
Payment slip.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment slip.exe -
outlook_win_path 1 IoCs
Processes:
Payment slip.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment slip.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:436
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/436-65-0x0000000000436D3E-mapping.dmp
-
memory/436-60-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/436-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/436-62-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/436-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/436-63-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/436-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/436-68-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/1128-56-0x0000000074B41000-0x0000000074B43000-memory.dmpFilesize
8KB
-
memory/1128-57-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/1128-58-0x00000000005E0000-0x00000000005E7000-memory.dmpFilesize
28KB
-
memory/1128-59-0x0000000004BF0000-0x0000000004C47000-memory.dmpFilesize
348KB
-
memory/1128-54-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB