Overview

overview

10

Static

static

9

Payment no...on.exe

windows7_x64

10

Payment no...on.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment notification.exe

  • Size

    429KB

  • MD5

    add3085642ac7fc63b5fba524f790a5b

  • SHA1

    21d4392b1c94fa1e1e8eb292e6216f9dd4dd16d9

  • SHA256

    73c5071a6dc5f6d66b800d56b97e6f451d2738aebb2efcacaaab86319392dddb

  • SHA512

    8e2dcaf9e4c37ead0412ee3df12ee05b8d1a0ec5a9a661bf0f450eed580803b9823508b5dbaca59148b91a1c6d8699b7f00f59e73fe064721bccef2d4f66a597

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    zstcznz.org
  • Port:
    587
  • Username:
    makonyo@zstcznz.org
  • Password:
    makonyo@2017

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    zstcznz.org
  • Port:
    587
  • Username:
    makonyo@zstcznz.org
  • Password:
    makonyo@2017

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment notification.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment notification.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "{path}"
      2⤵
        PID:3700
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "{path}"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:2576
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" wlan show profile
          3⤵
            PID:3952

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2576-132-0x0000000000000000-mapping.dmp
        Download
      • memory/2576-133-0x0000000000400000-0x0000000000452000-memory.dmp
        Filesize

        328KB

        Download
      • memory/2576-134-0x0000000074780000-0x0000000074D31000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/3700-131-0x0000000000000000-mapping.dmp
        Download
      • memory/3952-135-0x0000000000000000-mapping.dmp
        Download
      • memory/4488-130-0x0000000074780000-0x0000000074D31000-memory.dmp
        Filesize

        5.7MB

        Download