Analysis
-
max time kernel
0s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:18
Static task
static1
Behavioral task
behavioral1
Sample
Balancepayment.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Balancepayment.exe
Resource
win10v2004-20231130-en
General
-
Target
Balancepayment.exe
-
Size
392KB
-
MD5
9380d44800fbdf3899fe1d04af533d1f
-
SHA1
a052510980763e83d19c3f9824ea58a5f4eab2b3
-
SHA256
0b6b634a3d763601e989506f485f0bbbb9aa0b739f34d5566069bfd7bdc05904
-
SHA512
8e2e205984f1672df25d4c78fca631290706e793677f480b0d088e60bdbef6b91b5e7752175cef0d85fc6c381adf39c64cb3ba6c4578ddbd5b7a79dff9f7be99
-
SSDEEP
6144:WSodkdIGvvJXFj+3vsW5qeP0sCuTiw14LqcCiNMF2eR2BQ1hZnhG5rO/lGFNzTbn:WSFdIGZVjukc044NCiSx71HsKGXJSA
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
Kene123456789 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 2088 ipconfig.exe 2564 ipconfig.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Balancepayment.execmd.exedescription pid process target process PID 1404 wrote to memory of 1712 1404 Balancepayment.exe cmd.exe PID 1404 wrote to memory of 1712 1404 Balancepayment.exe cmd.exe PID 1404 wrote to memory of 1712 1404 Balancepayment.exe cmd.exe PID 1404 wrote to memory of 1712 1404 Balancepayment.exe cmd.exe PID 1712 wrote to memory of 2088 1712 cmd.exe ipconfig.exe PID 1712 wrote to memory of 2088 1712 cmd.exe ipconfig.exe PID 1712 wrote to memory of 2088 1712 cmd.exe ipconfig.exe PID 1712 wrote to memory of 2088 1712 cmd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Balancepayment.exe"C:\Users\Admin\AppData\Local\Temp\Balancepayment.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵PID:2692
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:2564 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=2⤵PID:2600
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/3⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\Balancepayment.exeC:\Users\Admin\AppData\Local\Temp\Balancepayment.exe2⤵PID:856
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release1⤵
- Gathers network information
PID:2088
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1568 CREDAT:275457 /prefetch:21⤵PID:2476