Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 16:44
Static task
static1
Behavioral task
behavioral1
Sample
Zahlung.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Zahlung.exe
Resource
win10v2004-20240611-en
General
-
Target
Zahlung.exe
-
Size
1.1MB
-
MD5
e943b414bd144ca2b31d14538bba561c
-
SHA1
620667c51ffe854b6584c9d26e4c42623621e5a9
-
SHA256
0e1e4938f829e6a6812c2b3f8ec8a0fbeaa7f8935c472921e332023fbbf953c4
-
SHA512
63dcbecd15cc7930ff42d6996114e54a69f0f9343ac10501448df7fa7502fb6e4d3b349424a056f960b66724b0273bed03d0aec573609911bedf6cee691d4747
-
SSDEEP
24576:3AHnh+eWsN3skA4RV1Hom2KXMmHai3+BHBM1FMFei5:qh+ZkldoPK8Yai3XFMFv
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Zahlung.exedescription pid process target process PID 2132 set thread context of 5092 2132 Zahlung.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegSvcs.exepid process 5092 RegSvcs.exe 5092 RegSvcs.exe 5092 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
Zahlung.exeZahlung.exeZahlung.exepid process 4944 Zahlung.exe 3672 Zahlung.exe 2132 Zahlung.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 5092 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Zahlung.exeZahlung.exeZahlung.exepid process 4944 Zahlung.exe 4944 Zahlung.exe 3672 Zahlung.exe 3672 Zahlung.exe 2132 Zahlung.exe 2132 Zahlung.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Zahlung.exeZahlung.exeZahlung.exepid process 4944 Zahlung.exe 4944 Zahlung.exe 3672 Zahlung.exe 3672 Zahlung.exe 2132 Zahlung.exe 2132 Zahlung.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Zahlung.exeZahlung.exeZahlung.exedescription pid process target process PID 4944 wrote to memory of 4964 4944 Zahlung.exe RegSvcs.exe PID 4944 wrote to memory of 4964 4944 Zahlung.exe RegSvcs.exe PID 4944 wrote to memory of 4964 4944 Zahlung.exe RegSvcs.exe PID 4944 wrote to memory of 3672 4944 Zahlung.exe Zahlung.exe PID 4944 wrote to memory of 3672 4944 Zahlung.exe Zahlung.exe PID 4944 wrote to memory of 3672 4944 Zahlung.exe Zahlung.exe PID 3672 wrote to memory of 1352 3672 Zahlung.exe RegSvcs.exe PID 3672 wrote to memory of 1352 3672 Zahlung.exe RegSvcs.exe PID 3672 wrote to memory of 1352 3672 Zahlung.exe RegSvcs.exe PID 3672 wrote to memory of 2132 3672 Zahlung.exe Zahlung.exe PID 3672 wrote to memory of 2132 3672 Zahlung.exe Zahlung.exe PID 3672 wrote to memory of 2132 3672 Zahlung.exe Zahlung.exe PID 2132 wrote to memory of 5092 2132 Zahlung.exe RegSvcs.exe PID 2132 wrote to memory of 5092 2132 Zahlung.exe RegSvcs.exe PID 2132 wrote to memory of 5092 2132 Zahlung.exe RegSvcs.exe PID 2132 wrote to memory of 5092 2132 Zahlung.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Zahlung.exe"C:\Users\Admin\AppData\Local\Temp\Zahlung.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Zahlung.exe"2⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\Zahlung.exe"C:\Users\Admin\AppData\Local\Temp\Zahlung.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Zahlung.exe"3⤵PID:1352
-
C:\Users\Admin\AppData\Local\Temp\Zahlung.exe"C:\Users\Admin\AppData\Local\Temp\Zahlung.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Zahlung.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD591100deb27c4c88816fdb8d1be69eda8
SHA1fd660666af4ebfe633372683390686f56268022b
SHA256c540405943058396918fb9b04c8035435816bd0bb032496f6d5733f744c973bf
SHA5122358ed584020e363ad2cbd578bcd81597f5e99828d1030522f9221890fe55ae22a54b21bbc1884253bf6fe2cd651532f2ca9d6373084d5cb24b163e2de8c1d3c
-
Filesize
9KB
MD55dbd3731c4e82090e8d7bbfa87d3e8c6
SHA11a34fbcd51800f82d77dafbca7e1081248601577
SHA2560da2d25f61a2a14e789b67ef3ef4edd0e9f2a4e651afca20c91c8e9eafde021c
SHA512390132af2dcb1e05bbfefafd445cfa6d8e37d68ceb2a1b8585da78c485b71ce09249d823c8c7877770dc14b023f50e64f719b262dbf6e3c91aa621dfd41595f8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
28KB
MD596084ea3c6549d0e6aaa677025a9a0e1
SHA1766ca2e726767fc9bf8ebaf4e075a105b155b583
SHA256df315e50b5b1cced6a2e839cb043597c8ae5261aa3b00b3c833d9fb771163951
SHA51232fc8c0a79265aaa49c3f26004c83460cdff2d8ebec165dd8022d73eff4a3b3e48f9b1f76f443f1a185d40463efcee54a6f1e10cdf92c33eac07e07c882c2103