Analysis
-
max time kernel
130s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:17
Static task
static1
Behavioral task
behavioral1
Sample
payment advice copy.image.scan01.jpg.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
payment advice copy.image.scan01.jpg.exe
Resource
win10v2004-20220414-en
General
-
Target
payment advice copy.image.scan01.jpg.exe
-
Size
404KB
-
MD5
951376f32a5d7407c6050cf92ef76031
-
SHA1
45209c07bb060f82f002e2fbd11bf536e9cfe1e0
-
SHA256
0b4b9a3ed216be7eac4a0ffa5add89024e0eab7e63ffdf1cb8e8af0e2119feac
-
SHA512
367580f71245bf6891f9047bfec5108d41a094e2622eaaf4a4aab623459df03b2fcfdf13ba5da50c0b08cf3b5711638c1dd4f5336fa2ee353106fc03d6e195aa
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
qwerty123@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1168-61-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1168-62-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1168-63-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1168-64-0x0000000000446DBE-mapping.dmp family_agenttesla behavioral1/memory/1168-66-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1168-68-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
payment advice copy.image.scan01.jpg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment advice copy.image.scan01.jpg.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment advice copy.image.scan01.jpg.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment advice copy.image.scan01.jpg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment advice copy.image.scan01.jpg.exedescription pid process target process PID 644 set thread context of 1168 644 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
payment advice copy.image.scan01.jpg.exepayment advice copy.image.scan01.jpg.exepid process 644 payment advice copy.image.scan01.jpg.exe 644 payment advice copy.image.scan01.jpg.exe 644 payment advice copy.image.scan01.jpg.exe 644 payment advice copy.image.scan01.jpg.exe 1168 payment advice copy.image.scan01.jpg.exe 1168 payment advice copy.image.scan01.jpg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment advice copy.image.scan01.jpg.exepayment advice copy.image.scan01.jpg.exedescription pid process Token: SeDebugPrivilege 644 payment advice copy.image.scan01.jpg.exe Token: SeDebugPrivilege 1168 payment advice copy.image.scan01.jpg.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
payment advice copy.image.scan01.jpg.exedescription pid process target process PID 644 wrote to memory of 1168 644 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 644 wrote to memory of 1168 644 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 644 wrote to memory of 1168 644 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 644 wrote to memory of 1168 644 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 644 wrote to memory of 1168 644 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 644 wrote to memory of 1168 644 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 644 wrote to memory of 1168 644 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 644 wrote to memory of 1168 644 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 644 wrote to memory of 1168 644 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe -
outlook_office_path 1 IoCs
Processes:
payment advice copy.image.scan01.jpg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment advice copy.image.scan01.jpg.exe -
outlook_win_path 1 IoCs
Processes:
payment advice copy.image.scan01.jpg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment advice copy.image.scan01.jpg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment advice copy.image.scan01.jpg.exe"C:\Users\Admin\AppData\Local\Temp\payment advice copy.image.scan01.jpg.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment advice copy.image.scan01.jpg.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/644-54-0x00000000000F0000-0x000000000015C000-memory.dmpFilesize
432KB
-
memory/644-55-0x00000000005B0000-0x00000000005BA000-memory.dmpFilesize
40KB
-
memory/644-56-0x0000000004090000-0x00000000040EC000-memory.dmpFilesize
368KB
-
memory/644-57-0x0000000004C00000-0x0000000004C4A000-memory.dmpFilesize
296KB
-
memory/1168-58-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1168-59-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1168-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1168-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1168-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1168-64-0x0000000000446DBE-mapping.dmp
-
memory/1168-66-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1168-68-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1168-69-0x0000000075BF1000-0x0000000075BF3000-memory.dmpFilesize
8KB