Analysis
-
max time kernel
145s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
30-04-2024 01:37
General
-
Target
PaymentswiftcopyINV00932024.exe
-
Size
1.0MB
-
MD5
c206e8ed7f026afdf97282318a361018
-
SHA1
642898e055160a573f7c09b897fac22af1a8b141
-
SHA256
710ebba849b3ce051231c2f0c859b2a6aa0c00ab2a879279a81e6d44f1ccacad
-
SHA512
84cd3745b89c97461efea3a7ba7f8482b664a719792701f1d727385614ae46db2877fc72079fcb9fa805f865569f14d3d3f77dbf3b15ea0267832026b814d3cb
-
SSDEEP
24576:4AHnh+eWsN3skA4RV1Hom2KXMmHa8erOFsAWdV5:/h+ZkldoPK8Ya8SOFp8
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.cmcapama.top - Port:
587 - Username:
[email protected] - Password:
EVEitDp@^lu~ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
-
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
-
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
-
Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PaymentswiftcopyINV00932024.exe"C:\Users\Admin\AppData\Local\Temp\PaymentswiftcopyINV00932024.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\PaymentswiftcopyINV00932024.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2264-11-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2264-12-0x0000000073CF0000-0x00000000744A0000-memory.dmpFilesize
7.7MB
-
memory/2264-13-0x0000000005230000-0x00000000057D4000-memory.dmpFilesize
5.6MB
-
memory/2264-14-0x0000000004E50000-0x0000000004EB6000-memory.dmpFilesize
408KB
-
memory/2264-15-0x0000000004D40000-0x0000000004D50000-memory.dmpFilesize
64KB
-
memory/2264-16-0x0000000005D20000-0x0000000005D70000-memory.dmpFilesize
320KB
-
memory/2264-17-0x0000000005E10000-0x0000000005EA2000-memory.dmpFilesize
584KB
-
memory/2264-18-0x0000000005DB0000-0x0000000005DBA000-memory.dmpFilesize
40KB
-
memory/2264-19-0x0000000073CF0000-0x00000000744A0000-memory.dmpFilesize
7.7MB
-
memory/2264-20-0x0000000004D40000-0x0000000004D50000-memory.dmpFilesize
64KB
-
memory/3524-10-0x0000000000EE0000-0x0000000000EE4000-memory.dmpFilesize
16KB