Overview

overview

10

Static

static

3

payment status.exe

windows7-x64

10

payment status.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231130-en
  • resource tags

    arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payment status.exe

  • Size

    611KB

  • MD5

    b3cb7b5092ec2f49be062a87a6335041

  • SHA1

    273ee251d431823cc65e1b9e177c34b36da3b578

  • SHA256

    8fc8d08ac95f945b863195ee3556c1e756754faff354db781a67a9323b4c06fc

  • SHA512

    04b1751627bd0d63cf9aa137738a7c28f0c5d827d2d69dfce45d3075321af5f25d09b51b10203d103ce585ae288f8a2cb3826f9fa780a1f630c8c0cd135e6f5b

  • SSDEEP

    12288:suod5zlZmSVaFl3LLTIhbH5TtOBoLFv0X1iMM0pwsNdRjH1y92Tneg:kzOSEXL/IhbHnuMF8X1iFsFH1y92ag

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Drops startup file 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\payment status.exe
    "C:\Users\Admin\AppData\Local\Temp\payment status.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /release
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2100
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2516
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /renew
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /renew
        3⤵
        • Gathers network information
        PID:2700
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1488
  • C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    1⤵
    • Gathers network information
    PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1488-19-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1488-30-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1488-28-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1488-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1488-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1488-18-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1488-20-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2572-14-0x000000006F520000-0x000000006FACB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2572-17-0x000000006F520000-0x000000006FACB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2572-13-0x000000006F520000-0x000000006FACB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2572-15-0x0000000002A20000-0x0000000002A60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2572-16-0x0000000002A20000-0x0000000002A60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3052-7-0x0000000074450000-0x0000000074B3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3052-8-0x0000000004A00000-0x0000000004A40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3052-0-0x00000000008D0000-0x000000000096E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/3052-6-0x0000000004810000-0x000000000485C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3052-3-0x0000000004A00000-0x0000000004A40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3052-5-0x0000000001F60000-0x0000000001FA0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3052-4-0x00000000005F0000-0x0000000000630000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3052-27-0x0000000074450000-0x0000000074B3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3052-2-0x0000000001F00000-0x0000000001F58000-memory.dmp

    Filesize

    352KB

    Download

  • memory/3052-1-0x0000000074450000-0x0000000074B3E000-memory.dmp

    Filesize

    6.9MB

    Download