Analysis
-
max time kernel
149s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:13
Static task
static1
Behavioral task
behavioral1
Sample
Payment Copy.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment Copy.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment Copy.exe
-
Size
447KB
-
MD5
6ad7d8bf86c04715891b54cd2fe4a3de
-
SHA1
01417971637c349319d11de98c48f92c3eab6d50
-
SHA256
637b72e82538b767707282db37c0f960aa60c72e3c44c76ecaf232a9c105bf41
-
SHA512
79945668bec8fc41fd54169117aee755c74fae765398d92c2afccf45ed4e326a799015cb2cdf107618a4681648ad2246820916d37e57411f3c776c5bc88c6e35
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
alexisborris@yandex.ru - Password:
@Veronica24#
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2816-136-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Copy.exedescription pid process target process PID 4040 set thread context of 2816 4040 Payment Copy.exe Payment Copy.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Payment Copy.exePayment Copy.exepid process 4040 Payment Copy.exe 2816 Payment Copy.exe 2816 Payment Copy.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment Copy.exePayment Copy.exedescription pid process Token: SeDebugPrivilege 4040 Payment Copy.exe Token: SeDebugPrivilege 2816 Payment Copy.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Payment Copy.exedescription pid process target process PID 4040 wrote to memory of 2816 4040 Payment Copy.exe Payment Copy.exe PID 4040 wrote to memory of 2816 4040 Payment Copy.exe Payment Copy.exe PID 4040 wrote to memory of 2816 4040 Payment Copy.exe Payment Copy.exe PID 4040 wrote to memory of 2816 4040 Payment Copy.exe Payment Copy.exe PID 4040 wrote to memory of 2816 4040 Payment Copy.exe Payment Copy.exe PID 4040 wrote to memory of 2816 4040 Payment Copy.exe Payment Copy.exe PID 4040 wrote to memory of 2816 4040 Payment Copy.exe Payment Copy.exe PID 4040 wrote to memory of 2816 4040 Payment Copy.exe Payment Copy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Copy.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
memory/2816-135-0x0000000000000000-mapping.dmp
-
memory/2816-136-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2816-138-0x00000000064E0000-0x0000000006546000-memory.dmpFilesize
408KB
-
memory/4040-130-0x0000000000C80000-0x0000000000CF4000-memory.dmpFilesize
464KB
-
memory/4040-131-0x0000000005B70000-0x0000000006114000-memory.dmpFilesize
5.6MB
-
memory/4040-132-0x0000000005680000-0x0000000005712000-memory.dmpFilesize
584KB
-
memory/4040-133-0x0000000005AB0000-0x0000000005ABA000-memory.dmpFilesize
40KB
-
memory/4040-134-0x0000000007F50000-0x0000000007FEC000-memory.dmpFilesize
624KB