Overview

overview

10

Static

static

1

Payment Advice.exe

windows7-x64

10

Payment Advice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    06-02-2023 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Advice.exe

  • Size

    64KB

  • MD5

    b6eb7b4e594a56b4863355c9a7f86b53

  • SHA1

    117f098e05ef647da17ea4182b77f99efd7b1b94

  • SHA256

    6293bc321e0d935cb697ff2d091446f6ff17b604c8720fe525f0ef3c38de8dbe

  • SHA512

    463248fab99aff86929190ce4e7197ccfd59a65e5fbe8c85236e12825a8851c9479c394bf6fc403aab36632607109a12d065451c662138b7b32a237c9a50511a

  • SSDEEP

    768:0AOAg9DjP3i6zmz4e2XX/40LO6dusn04ep:ZON9DjP3iC+Ja/40ymuL3p

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.wasstech.com
  • Port:
    587
  • Username:
    sahar.nassif@wasstech.com
  • Password:
    payment 12345
  • Email To:
    sahar.nassif@wasstech.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:940
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
      2⤵
        PID:2008
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
        2⤵
          PID:1176
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
          2⤵
            PID:1852
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
            2⤵
              PID:728
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:268
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 168
                3⤵
                • Program crash
                PID:864

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/268-56-0x0000000000400000-0x0000000000430000-memory.dmp
            Filesize

            192KB

            Download
          • memory/268-57-0x000000000042A7DE-mapping.dmp
            Download
          • memory/268-58-0x0000000076411000-0x0000000076413000-memory.dmp
            Filesize

            8KB

            Download
          • memory/864-59-0x0000000000000000-mapping.dmp
            Download
          • memory/940-54-0x0000000001270000-0x0000000001284000-memory.dmp
            Filesize

            80KB

            Download
          • memory/940-55-0x000000001AA90000-0x000000001AB00000-memory.dmp
            Filesize

            448KB

            Download