Overview

overview

10

Static

static

Payment Copy.exe

windows7_x64

10

Payment Copy.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 12:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Copy.exe

  • Size

    447KB

  • MD5

    6ad7d8bf86c04715891b54cd2fe4a3de

  • SHA1

    01417971637c349319d11de98c48f92c3eab6d50

  • SHA256

    637b72e82538b767707282db37c0f960aa60c72e3c44c76ecaf232a9c105bf41

  • SHA512

    79945668bec8fc41fd54169117aee755c74fae765398d92c2afccf45ed4e326a799015cb2cdf107618a4681648ad2246820916d37e57411f3c776c5bc88c6e35

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    alexisborris@yandex.ru
  • Password:
    @Veronica24#

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Copy.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit
  • memory/2816-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2816-136-0x0000000000400000-0x0000000000452000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2816-138-0x00000000064E0000-0x0000000006546000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4040-130-0x0000000000C80000-0x0000000000CF4000-memory.dmp
    Filesize

    464KB

    Download
  • memory/4040-131-0x0000000005B70000-0x0000000006114000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4040-132-0x0000000005680000-0x0000000005712000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4040-133-0x0000000005AB0000-0x0000000005ABA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4040-134-0x0000000007F50000-0x0000000007FEC000-memory.dmp
    Filesize

    624KB

    Download