Analysis
-
max time kernel
42s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 10:53
Static task
static1
Behavioral task
behavioral1
Sample
Payment Proof.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment Proof.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment Proof.exe
-
Size
806KB
-
MD5
6c8f01372803ed1b13e8e03bc764b84f
-
SHA1
2851549bed6bab05ddd74c2ae97e7324b2df8e31
-
SHA256
c482ca787afb6b9f12e79b80f791494338b6a353950c12e57df5b1411a1ccd50
-
SHA512
fae08dac1a2f78177fd274954e00f57b6e16b869a8ed8fe1d8d61c7fd01c875dff44df69493dffb59c9f6ab25ac39b7a2ce12ddea7602444c149a7c475c6a487
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
chukwudi123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2032-59-0x0000000000380000-0x00000000003CE000-memory.dmp family_agenttesla behavioral1/memory/2032-58-0x0000000000380000-0x00000000003CE000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Payment Proof.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Proof.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Proof.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Proof.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Proof.exedescription pid process target process PID 1180 set thread context of 2032 1180 Payment Proof.exe Payment Proof.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Payment Proof.exePayment Proof.exepid process 1180 Payment Proof.exe 2032 Payment Proof.exe 2032 Payment Proof.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Payment Proof.exepid process 1180 Payment Proof.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment Proof.exedescription pid process Token: SeDebugPrivilege 2032 Payment Proof.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Payment Proof.exedescription pid process target process PID 1180 wrote to memory of 2032 1180 Payment Proof.exe Payment Proof.exe PID 1180 wrote to memory of 2032 1180 Payment Proof.exe Payment Proof.exe PID 1180 wrote to memory of 2032 1180 Payment Proof.exe Payment Proof.exe PID 1180 wrote to memory of 2032 1180 Payment Proof.exe Payment Proof.exe -
outlook_office_path 1 IoCs
Processes:
Payment Proof.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Proof.exe -
outlook_win_path 1 IoCs
Processes:
Payment Proof.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Proof.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Proof.exe"C:\Users\Admin\AppData\Local\Temp\Payment Proof.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Proof.exe"C:\Users\Admin\AppData\Local\Temp\Payment Proof.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1180-54-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/1180-56-0x00000000003F0000-0x00000000003FF000-memory.dmpFilesize
60KB
-
memory/2032-57-0x00000000004A75F0-mapping.dmp
-
memory/2032-59-0x0000000000380000-0x00000000003CE000-memory.dmpFilesize
312KB
-
memory/2032-58-0x0000000000380000-0x00000000003CE000-memory.dmpFilesize
312KB
-
memory/2032-61-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB