Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 16:44
Static task
static1
Behavioral task
behavioral1
Sample
Zahlung.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Zahlung.exe
Resource
win10v2004-20240611-en
General
-
Target
Zahlung.exe
-
Size
1.1MB
-
MD5
e943b414bd144ca2b31d14538bba561c
-
SHA1
620667c51ffe854b6584c9d26e4c42623621e5a9
-
SHA256
0e1e4938f829e6a6812c2b3f8ec8a0fbeaa7f8935c472921e332023fbbf953c4
-
SHA512
63dcbecd15cc7930ff42d6996114e54a69f0f9343ac10501448df7fa7502fb6e4d3b349424a056f960b66724b0273bed03d0aec573609911bedf6cee691d4747
-
SSDEEP
24576:3AHnh+eWsN3skA4RV1Hom2KXMmHai3+BHBM1FMFei5:qh+ZkldoPK8Yai3XFMFv
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Zahlung.exedescription pid process target process PID 2176 set thread context of 2840 2176 Zahlung.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2840 RegSvcs.exe 2840 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Zahlung.exepid process 2176 Zahlung.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2840 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Zahlung.exepid process 2176 Zahlung.exe 2176 Zahlung.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Zahlung.exepid process 2176 Zahlung.exe 2176 Zahlung.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Zahlung.exedescription pid process target process PID 2176 wrote to memory of 2840 2176 Zahlung.exe RegSvcs.exe PID 2176 wrote to memory of 2840 2176 Zahlung.exe RegSvcs.exe PID 2176 wrote to memory of 2840 2176 Zahlung.exe RegSvcs.exe PID 2176 wrote to memory of 2840 2176 Zahlung.exe RegSvcs.exe PID 2176 wrote to memory of 2840 2176 Zahlung.exe RegSvcs.exe PID 2176 wrote to memory of 2840 2176 Zahlung.exe RegSvcs.exe PID 2176 wrote to memory of 2840 2176 Zahlung.exe RegSvcs.exe PID 2176 wrote to memory of 2840 2176 Zahlung.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Zahlung.exe"C:\Users\Admin\AppData\Local\Temp\Zahlung.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Zahlung.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD591100deb27c4c88816fdb8d1be69eda8
SHA1fd660666af4ebfe633372683390686f56268022b
SHA256c540405943058396918fb9b04c8035435816bd0bb032496f6d5733f744c973bf
SHA5122358ed584020e363ad2cbd578bcd81597f5e99828d1030522f9221890fe55ae22a54b21bbc1884253bf6fe2cd651532f2ca9d6373084d5cb24b163e2de8c1d3c