Overview

overview

10

Static

static

payment receipt.exe

windows7-x64

10

payment receipt.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    88s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2022 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payment receipt.exe

  • Size

    899KB

  • MD5

    ef2ce2f68f0c5562a64bd3139d81a62f

  • SHA1

    248f3b30bb878a7608d1da009ae686b2e805562b

  • SHA256

    112fea8779d66870df2bfe7d46f60f8e6f3c0f768a8076f9494404df0d2e88ed

  • SHA512

    bdef4affde1cfc29055fbf1ea8d7b98832cbd0086693913eaf38f875a7d9969635c0edd05df18598edcadf2da0d911980f5c412622e8b76625114226f1923c10

  • SSDEEP

    12288:goQgKZ/nXt7virmWhlGLaQYIRx/9/YAoDotxyo5iTz6wRhEq2jHrM393T7Qsm447:c/NYAHP5iTzOE3t32ia

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    work-toolz.click
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    3HLkst~=QzD3

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\payment receipt.exe
    "C:\Users\Admin\AppData\Local\Temp\payment receipt.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:940
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment receipt.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1464
    • C:\Users\Admin\AppData\Local\Temp\payment receipt.exe
      "C:\Users\Admin\AppData\Local\Temp\payment receipt.exe"
      2⤵
        PID:512

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/512-68-0x000000000043248E-mapping.dmp

      Download

    • memory/512-66-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/512-70-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/512-67-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/512-63-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/512-62-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/512-65-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/940-61-0x0000000007E20000-0x0000000007E7C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/940-58-0x0000000007D90000-0x0000000007E26000-memory.dmp

      Filesize

      600KB

      Download

    • memory/940-55-0x0000000075B61000-0x0000000075B63000-memory.dmp

      Filesize

      8KB

      Download

    • memory/940-57-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/940-54-0x00000000012A0000-0x0000000001386000-memory.dmp

      Filesize

      920KB

      Download

    • memory/940-56-0x00000000003F0000-0x0000000000406000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1464-59-0x0000000000000000-mapping.dmp

      Download

    • memory/1464-72-0x00000000731A0000-0x000000007374B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1464-73-0x00000000731A0000-0x000000007374B000-memory.dmp

      Filesize

      5.7MB

      Download