Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
07/06/2023, 16:36
General
-
Target
PAYMENT SLIP.exe
-
Size
690KB
-
MD5
10c038fed5281fbbbc727a74336e2f0a
-
SHA1
8a210c8f48426cf1d8d18e5a267b680c4bfd256b
-
SHA256
abef18ea3dd420650a3c4ffbae70c8a3409788f67986c0bb08955a85b6b3a290
-
SHA512
7f9a71f8e4f77d744d45dc7a8cfc203b761e09ad82b62bc0e94697fbc95c1d97e0f63fbbd123a5787c140dcc9f33e2d7462f8226f4c0a2df6a56384063c9f61b
-
SSDEEP
12288:F3CDNxgGmZmBlwzyeJHi8FT0Yrc72104IEiAgn:QNq8lwG8Hi8dB910TfBn
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
sarahfoils.com - Port:
587 - Username:
[email protected] - Password:
Scalatica01 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
712KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
192KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
64KB