Analysis
-
max time kernel
140s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
29-10-2022 09:27
General
-
Target
Payment copy.exe
-
Size
1014KB
-
MD5
9f36c6884ecc5ac7fe027121871596ed
-
SHA1
abb0b02b36d2556ef2f32911590dd8fceac9fafb
-
SHA256
d1fc82613bb43d33c1d9ddf97aa9a72825b0ab8974fc62bd7e205bd376ecb280
-
SHA512
dec37c49fd9c905a77c45fca1db867bd13785b2ae9bbde352f2d80a317975ae831d372cf85421e4b2e145a9818c6c714b8b79e64adb07f58e4bfd2311b357cf9
-
SSDEEP
24576:PtDYPGTvArkJGorX3g395z4oJMWaTehCCz8HgK:AwArkJGob3G5zIWaTesCo
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot1507062795:AAEBb0H5OYbp-dWwXk8ffQp0InjOhKxhpbU/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment copy.exe"C:\Users\Admin\AppData\Local\Temp\Payment copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XSZdCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE6F6.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\Payment copy.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD598d84a27449eab2784221f57516ce0ff
SHA113f9132d53d596dc2c262a40e87673fd6d90ad08
SHA256662c6b726d3a4c3d2b1caa309af56a007f474f7c8517a301175f63257b8d2496
SHA512953a5143b13dc22eeebb2181e1f432f966cc2ebfcbccbd4d8e1947f1fd3c96a0091e03e11b3655244a9b0c6ce35de123d8200a741a45c27c16be868de3e880e1
-
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
528KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
1.0MB