Overview

overview

10

Static

static

1

Balance payment.exe

windows7-x64

10

Balance payment.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Balance payment.exe

  • Size

    1.1MB

  • MD5

    381818e580f43857b5dd3da539308e69

  • SHA1

    3735e0d48dd8f7cc9988b319cd62c68ec0d40a4c

  • SHA256

    57b6b7a5011b1e0d3b8a43da9c78528e3a133cd20f5f9cf72c6359dab423693a

  • SHA512

    7ebb9a3bb8e240d334271ca5496a7400096fb142a0c80f8f5865e477e20093be85afc5278367f599be7e9738d405a75b5dcef38ded06b4cb2a1ecde7453e8736

  • SSDEEP

    24576:XJ1049HlMMkkelLuAmJyrAs7+1/G06nnjqKoes:c2HlLkdlLuA+yF7YqjqKoes

Score
10/10
agentteslaexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
    "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lCQWbPNnxfqg.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lCQWbPNnxfqg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB408.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2308
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar7A36.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB408.tmp
    Filesize

    1KB

    MD5

    d17422e6471fd5566ae984d0986af8fd

    SHA1

    fd282c8cc2982977b40359094f1cc3c2caa2751c

    SHA256

    b7f6ab98e89954c12340b88a22d38765e4c26502fa2fe8919bfc41cd429de86c

    SHA512

    d62b579ae307c1ecf57e2dec9315a890acfdacdb4f97420bc320284d1258b73956ac8c213de9bed605befd3037a7d894c14af00df3f88ce5e04994df6fb0e4c1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    b2f2e11dd9eb0f841e54c35294c3d99f

    SHA1

    bbd94526db3f51c5db5481b80e0c3d3da71829ba

    SHA256

    2e49f6e790baa7b88bae7567ba8d7bc7d18b8bb3edf922e8cc2e90a379e29a4e

    SHA512

    22e9024d89d0c649f0b085041408b71ef1f5457e80dd04c291e9a44f89f4fd8dd564a43d4e0ec9348ba3c0ea8cd767b3749660652372126eef51b92951d71ee6

    Download Submit

  • memory/932-126-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/932-117-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/932-119-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/932-123-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/932-125-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/932-121-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/932-130-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/932-127-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2216-100-0x0000000005800000-0x000000000589E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2216-104-0x0000000005730000-0x00000000057B2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2216-103-0x0000000000B10000-0x0000000000B20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2216-129-0x0000000074330000-0x0000000074A1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2216-102-0x0000000000B00000-0x0000000000B0E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2216-101-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2216-0-0x000000007433E000-0x000000007433F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2216-2-0x0000000074330000-0x0000000074A1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2216-1-0x0000000000ED0000-0x0000000000FF8000-memory.dmp

    Filesize

    1.2MB

    Download