Overview

overview

10

Static

static

1

Debit Note.exe

windows7-x64

10

Debit Note.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    226s
  • max time network
    333s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    12/02/2023, 08:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Debit Note.exe

  • Size

    685KB

  • MD5

    1a431097afb48954b94defec865d84f5

  • SHA1

    eaafb2d6af27cec988ac6829ff528066771fe736

  • SHA256

    309dd7ed63e9360abcb589290adda980a24e8a327d0090c6c839e306bada6558

  • SHA512

    32685dec6fea0e2c149cfa4ce2828f0a461468fffb4c19ab709fa9e1fc2a5baf3d0812fb55805895a464dba71a896a0011457ab7cc5e30167e27cb06b5be9334

  • SSDEEP

    12288:PuAskehLWn7dfWXeea+wpfXGJAHqvayEgfkxguPZW7z0JIZmDzOOua61A:W9LqYef+MHCGg8xgqZW7z0JIZm36

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Debit Note.exe
    "C:\Users\Admin\AppData\Local\Temp\Debit Note.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
      2⤵
        PID:344
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
        2⤵
          PID:896
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
          2⤵
            PID:1408
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
            2⤵
              PID:1668
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
              2⤵
                PID:1780
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
                2⤵
                  PID:1784
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
                  2⤵
                    PID:1448
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
                    2⤵
                      PID:1672
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
                      2⤵
                        PID:668
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
                        2⤵
                          PID:1412
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
                          2⤵
                            PID:1316
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
                            2⤵
                              PID:1112
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
                              2⤵
                                PID:988
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
                                2⤵
                                  PID:1740
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
                                  2⤵
                                    PID:1468
                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
                                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
                                    2⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1572
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 168
                                      3⤵
                                      • Program crash
                                      PID:944

                                Network

                                      MITRE ATT&CK Matrix

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • memory/776-54-0x00000000001E0000-0x0000000000290000-memory.dmp

                                        Filesize

                                        704KB

                                        Download

                                      • memory/776-55-0x000007FEFC0B1000-0x000007FEFC0B3000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/776-56-0x00000000006E0000-0x0000000000750000-memory.dmp

                                        Filesize

                                        448KB

                                        Download

                                      • memory/1572-57-0x0000000000400000-0x0000000000430000-memory.dmp

                                        Filesize

                                        192KB

                                        Download

                                      • memory/1572-59-0x0000000076931000-0x0000000076933000-memory.dmp

                                        Filesize

                                        8KB

                                        Download