Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:17
Static task
static1
Behavioral task
behavioral1
Sample
payment advice copy.image.scan01.jpg.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
payment advice copy.image.scan01.jpg.exe
Resource
win10v2004-20220414-en
General
-
Target
payment advice copy.image.scan01.jpg.exe
-
Size
404KB
-
MD5
951376f32a5d7407c6050cf92ef76031
-
SHA1
45209c07bb060f82f002e2fbd11bf536e9cfe1e0
-
SHA256
0b4b9a3ed216be7eac4a0ffa5add89024e0eab7e63ffdf1cb8e8af0e2119feac
-
SHA512
367580f71245bf6891f9047bfec5108d41a094e2622eaaf4a4aab623459df03b2fcfdf13ba5da50c0b08cf3b5711638c1dd4f5336fa2ee353106fc03d6e195aa
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
qwerty123@
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
qwerty123@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3552-134-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
payment advice copy.image.scan01.jpg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment advice copy.image.scan01.jpg.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment advice copy.image.scan01.jpg.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment advice copy.image.scan01.jpg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment advice copy.image.scan01.jpg.exedescription pid process target process PID 2712 set thread context of 3552 2712 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
payment advice copy.image.scan01.jpg.exepayment advice copy.image.scan01.jpg.exepid process 2712 payment advice copy.image.scan01.jpg.exe 2712 payment advice copy.image.scan01.jpg.exe 2712 payment advice copy.image.scan01.jpg.exe 2712 payment advice copy.image.scan01.jpg.exe 2712 payment advice copy.image.scan01.jpg.exe 2712 payment advice copy.image.scan01.jpg.exe 3552 payment advice copy.image.scan01.jpg.exe 3552 payment advice copy.image.scan01.jpg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment advice copy.image.scan01.jpg.exepayment advice copy.image.scan01.jpg.exedescription pid process Token: SeDebugPrivilege 2712 payment advice copy.image.scan01.jpg.exe Token: SeDebugPrivilege 3552 payment advice copy.image.scan01.jpg.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
payment advice copy.image.scan01.jpg.exedescription pid process target process PID 2712 wrote to memory of 3552 2712 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 2712 wrote to memory of 3552 2712 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 2712 wrote to memory of 3552 2712 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 2712 wrote to memory of 3552 2712 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 2712 wrote to memory of 3552 2712 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 2712 wrote to memory of 3552 2712 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 2712 wrote to memory of 3552 2712 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe PID 2712 wrote to memory of 3552 2712 payment advice copy.image.scan01.jpg.exe payment advice copy.image.scan01.jpg.exe -
outlook_office_path 1 IoCs
Processes:
payment advice copy.image.scan01.jpg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment advice copy.image.scan01.jpg.exe -
outlook_win_path 1 IoCs
Processes:
payment advice copy.image.scan01.jpg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment advice copy.image.scan01.jpg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment advice copy.image.scan01.jpg.exe"C:\Users\Admin\AppData\Local\Temp\payment advice copy.image.scan01.jpg.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment advice copy.image.scan01.jpg.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment advice copy.image.scan01.jpg.exe.logFilesize
412B
MD5ad1c7f6525cfeb54c0487efd38b0e26c
SHA1ed3da94723ac7e3828a9e93d68418bb810592f3b
SHA2560a534a3d0fa82e6a427164c5f6e702cac7e4afc9967af9bc5ddba4f84ab33276
SHA51248d625e6be5391d91d95c2850226fe39bb2411cb72139797699cfe126e6b066182e83950a8ea67e63b64a66b0d45f58d8bc97cab0363d55c2fd88c0d1d28009c
-
memory/2712-130-0x0000000000160000-0x00000000001CC000-memory.dmpFilesize
432KB
-
memory/2712-131-0x0000000004EA0000-0x0000000004F3C000-memory.dmpFilesize
624KB
-
memory/2712-132-0x0000000004FE0000-0x0000000005072000-memory.dmpFilesize
584KB
-
memory/3552-133-0x0000000000000000-mapping.dmp
-
memory/3552-134-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3552-136-0x0000000005B30000-0x00000000060D4000-memory.dmpFilesize
5.6MB
-
memory/3552-137-0x0000000006520000-0x0000000006586000-memory.dmpFilesize
408KB
-
memory/3552-138-0x0000000001680000-0x00000000016D0000-memory.dmpFilesize
320KB