Analysis
-
max time kernel
109s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
23-10-2021 10:17
Static task
static1
Behavioral task
behavioral1
Sample
Payment slip.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Payment slip.exe
Resource
win10-en-20211014
General
-
Target
Payment slip.exe
-
Size
664KB
-
MD5
da1c1f2acf3ceaf318b88595c6fcd3e2
-
SHA1
c1b33299ce801bdf1ec02e5125dcb018a751c0e8
-
SHA256
e49f212d6e5f137cf1394c1bce43b0d84c1a982b0a52e43d27d8cd45692764b7
-
SHA512
21ba66ae3eb417f53a140a600dea660cdc6e951cac372a6993ebdde62ec61acecfa44589b9d9e4ecc61eefe87bb05c3fdee29e1dfec44ba45f39ea5a69b860c9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
ken@kengrouco.xyz - Password:
Everest10
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/352-116-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/352-117-0x0000000000436D3E-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment slip.exedescription pid process target process PID 2112 set thread context of 352 2112 Payment slip.exe Payment slip.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Payment slip.exedw20.exepid process 2112 Payment slip.exe 2112 Payment slip.exe 2112 Payment slip.exe 2112 Payment slip.exe 1020 dw20.exe 1020 dw20.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Payment slip.exedw20.exedescription pid process Token: SeDebugPrivilege 2112 Payment slip.exe Token: SeRestorePrivilege 1020 dw20.exe Token: SeBackupPrivilege 1020 dw20.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Payment slip.exePayment slip.exedescription pid process target process PID 2112 wrote to memory of 1864 2112 Payment slip.exe Payment slip.exe PID 2112 wrote to memory of 1864 2112 Payment slip.exe Payment slip.exe PID 2112 wrote to memory of 1864 2112 Payment slip.exe Payment slip.exe PID 2112 wrote to memory of 748 2112 Payment slip.exe Payment slip.exe PID 2112 wrote to memory of 748 2112 Payment slip.exe Payment slip.exe PID 2112 wrote to memory of 748 2112 Payment slip.exe Payment slip.exe PID 2112 wrote to memory of 352 2112 Payment slip.exe Payment slip.exe PID 2112 wrote to memory of 352 2112 Payment slip.exe Payment slip.exe PID 2112 wrote to memory of 352 2112 Payment slip.exe Payment slip.exe PID 2112 wrote to memory of 352 2112 Payment slip.exe Payment slip.exe PID 2112 wrote to memory of 352 2112 Payment slip.exe Payment slip.exe PID 2112 wrote to memory of 352 2112 Payment slip.exe Payment slip.exe PID 2112 wrote to memory of 352 2112 Payment slip.exe Payment slip.exe PID 2112 wrote to memory of 352 2112 Payment slip.exe Payment slip.exe PID 352 wrote to memory of 1020 352 Payment slip.exe dw20.exe PID 352 wrote to memory of 1020 352 Payment slip.exe dw20.exe PID 352 wrote to memory of 1020 352 Payment slip.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6963⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payment slip.exe.logMD5
ef140ef600b2463c9e7dbf064a104046
SHA1c08fd1853877be95575ea2e860dd8cafef31f54c
SHA256ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616
SHA512bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c
-
memory/352-116-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/352-117-0x0000000000436D3E-mapping.dmp
-
memory/352-120-0x00000000014F0000-0x00000000014F1000-memory.dmpFilesize
4KB
-
memory/1020-119-0x0000000000000000-mapping.dmp
-
memory/2112-115-0x0000000001530000-0x0000000001531000-memory.dmpFilesize
4KB