Overview

overview

10

Static

static

3

Payment Co...on.exe

windows7-x64

10

Payment Co...on.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    64s
  • max time network
    49s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-04-2024 10:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Confirmation.exe

  • Size

    810.6MB

  • MD5

    812fe5ef59f8cbb7d7f3736240ff73c1

  • SHA1

    06f4822b98f5353615b4742191eab338af06ba8a

  • SHA256

    64eaa0a244acc5f54a880250edc683cf0527f8321e43167068ff4eb463612bbf

  • SHA512

    650c7870377173cc49bc71659d645d992beedbde203ccb11db2d2b0d0be8c4f62441122818b0264ca652d3655ae8f6ba8e7e05d9841985abe3943d291c29dc48

  • SSDEEP

    12288:PNgLeFR6rXlv312Z3Zpxax7Z9UrvcPcZpNvy+TJ+BMzaBqFWHi05XNYUO:yXJ312ZZHapZ4GcZpNvl/eB5J5X2J

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6418207961:AAH1E3CkRrfH5aPds3LBLBZiKWkWD7qbX90/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Confirmation.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit
  • memory/1236-8-0x00000000089D0000-0x0000000008A54000-memory.dmp
    Filesize

    528KB

    Download
  • memory/1236-3-0x0000000004EF0000-0x0000000004F82000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1236-9-0x000000000BB00000-0x000000000BB9C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1236-1-0x0000000074DF0000-0x00000000755A0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1236-5-0x0000000002A80000-0x0000000002A8A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1236-6-0x00000000055D0000-0x00000000055F0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1236-7-0x00000000060B0000-0x00000000060C4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1236-0-0x0000000000460000-0x0000000000512000-memory.dmp
    Filesize

    712KB

    Download
  • memory/1236-13-0x0000000074DF0000-0x00000000755A0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1236-2-0x00000000055F0000-0x0000000005B94000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1236-4-0x0000000002A60000-0x0000000002A70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2956-19-0x0000000005710000-0x0000000005720000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2956-14-0x0000000074DF0000-0x00000000755A0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2956-15-0x0000000005710000-0x0000000005720000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2956-16-0x0000000005670000-0x00000000056D6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2956-17-0x0000000006380000-0x00000000063D0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2956-18-0x0000000074DF0000-0x00000000755A0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2956-10-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download