Analysis
-
max time kernel
64s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 10:27
Static task
static1
Behavioral task
behavioral1
Sample
Payment Confirmation.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Payment Confirmation.exe
Resource
win10v2004-20240419-en
General
-
Target
Payment Confirmation.exe
-
Size
810.6MB
-
MD5
812fe5ef59f8cbb7d7f3736240ff73c1
-
SHA1
06f4822b98f5353615b4742191eab338af06ba8a
-
SHA256
64eaa0a244acc5f54a880250edc683cf0527f8321e43167068ff4eb463612bbf
-
SHA512
650c7870377173cc49bc71659d645d992beedbde203ccb11db2d2b0d0be8c4f62441122818b0264ca652d3655ae8f6ba8e7e05d9841985abe3943d291c29dc48
-
SSDEEP
12288:PNgLeFR6rXlv312Z3Zpxax7Z9UrvcPcZpNvy+TJ+BMzaBqFWHi05XNYUO:yXJ312ZZHapZ4GcZpNvl/eB5J5X2J
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6418207961:AAH1E3CkRrfH5aPds3LBLBZiKWkWD7qbX90/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Confirmation.exedescription pid process target process PID 1236 set thread context of 2956 1236 Payment Confirmation.exe Payment Confirmation.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Payment Confirmation.exepid process 2956 Payment Confirmation.exe 2956 Payment Confirmation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment Confirmation.exedescription pid process Token: SeDebugPrivilege 2956 Payment Confirmation.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Payment Confirmation.exedescription pid process target process PID 1236 wrote to memory of 2956 1236 Payment Confirmation.exe Payment Confirmation.exe PID 1236 wrote to memory of 2956 1236 Payment Confirmation.exe Payment Confirmation.exe PID 1236 wrote to memory of 2956 1236 Payment Confirmation.exe Payment Confirmation.exe PID 1236 wrote to memory of 2956 1236 Payment Confirmation.exe Payment Confirmation.exe PID 1236 wrote to memory of 2956 1236 Payment Confirmation.exe Payment Confirmation.exe PID 1236 wrote to memory of 2956 1236 Payment Confirmation.exe Payment Confirmation.exe PID 1236 wrote to memory of 2956 1236 Payment Confirmation.exe Payment Confirmation.exe PID 1236 wrote to memory of 2956 1236 Payment Confirmation.exe Payment Confirmation.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Confirmation.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
memory/1236-8-0x00000000089D0000-0x0000000008A54000-memory.dmpFilesize
528KB
-
memory/1236-3-0x0000000004EF0000-0x0000000004F82000-memory.dmpFilesize
584KB
-
memory/1236-9-0x000000000BB00000-0x000000000BB9C000-memory.dmpFilesize
624KB
-
memory/1236-1-0x0000000074DF0000-0x00000000755A0000-memory.dmpFilesize
7.7MB
-
memory/1236-5-0x0000000002A80000-0x0000000002A8A000-memory.dmpFilesize
40KB
-
memory/1236-6-0x00000000055D0000-0x00000000055F0000-memory.dmpFilesize
128KB
-
memory/1236-7-0x00000000060B0000-0x00000000060C4000-memory.dmpFilesize
80KB
-
memory/1236-0-0x0000000000460000-0x0000000000512000-memory.dmpFilesize
712KB
-
memory/1236-13-0x0000000074DF0000-0x00000000755A0000-memory.dmpFilesize
7.7MB
-
memory/1236-2-0x00000000055F0000-0x0000000005B94000-memory.dmpFilesize
5.6MB
-
memory/1236-4-0x0000000002A60000-0x0000000002A70000-memory.dmpFilesize
64KB
-
memory/2956-19-0x0000000005710000-0x0000000005720000-memory.dmpFilesize
64KB
-
memory/2956-14-0x0000000074DF0000-0x00000000755A0000-memory.dmpFilesize
7.7MB
-
memory/2956-15-0x0000000005710000-0x0000000005720000-memory.dmpFilesize
64KB
-
memory/2956-16-0x0000000005670000-0x00000000056D6000-memory.dmpFilesize
408KB
-
memory/2956-17-0x0000000006380000-0x00000000063D0000-memory.dmpFilesize
320KB
-
memory/2956-18-0x0000000074DF0000-0x00000000755A0000-memory.dmpFilesize
7.7MB
-
memory/2956-10-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB