Overview

overview

10

Static

static

3

Balance payment.exe

windows7-x64

10

Balance payment.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2024, 12:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Balance payment.exe

  • Size

    1.2MB

  • MD5

    2a9d09fc65e58d1589d0d10eb43c094a

  • SHA1

    411e29bdd4bf197ad7a44d4c675e0c0dd78538dd

  • SHA256

    0fc79caa00d59d4864ef9d4218cf238e52ae8208906c8e4d0a5d8e81c3607eb4

  • SHA512

    b67e6fb8a2a8d521ba395b8596c2d46212e631d1e04ccc0e67a0a50d6bd42943d1ff2b1aa9a4f317a1cc4fadfa930c80c4b88f97d484cd5ef0b6d3b82a4bd820

  • SSDEEP

    24576:YB6iYOAM4OF+PMwrSVlbmfDYkhDvGtjXtGUAF9kJ7MqudghfEuCj0hThiHHxlhV0:YBDMw8LrMx

Score
10/10
agentteslacredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
    "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 12 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "po" /t REG_SZ /d "C:\Program Files (x86)\po.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3244
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 12
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1412
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "po" /t REG_SZ /d "C:\Program Files (x86)\po.exe"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2296
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 21 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe" "C:\Program Files (x86)\po.exe" && ping 127.0.0.1 -n 21 > nul && "C:\Program Files (x86)\po.exe"
      2⤵
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:4732
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 21
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3484
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 21
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4084
      • C:\Program Files (x86)\po.exe
        "C:\Program Files (x86)\po.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4396
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\po.exe
    Filesize

    1.2MB

    MD5

    2a9d09fc65e58d1589d0d10eb43c094a

    SHA1

    411e29bdd4bf197ad7a44d4c675e0c0dd78538dd

    SHA256

    0fc79caa00d59d4864ef9d4218cf238e52ae8208906c8e4d0a5d8e81c3607eb4

    SHA512

    b67e6fb8a2a8d521ba395b8596c2d46212e631d1e04ccc0e67a0a50d6bd42943d1ff2b1aa9a4f317a1cc4fadfa930c80c4b88f97d484cd5ef0b6d3b82a4bd820

    Download Submit

  • memory/728-27-0x0000000006280000-0x00000000062D0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/728-26-0x0000000004ED0000-0x0000000004F36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/728-23-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1080-5-0x0000000005180000-0x000000000521E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/1080-3-0x00000000055F0000-0x0000000005B94000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1080-6-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1080-7-0x0000000005080000-0x000000000508A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1080-8-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1080-10-0x00000000747C0000-0x0000000074F70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1080-4-0x00000000050E0000-0x0000000005172000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1080-1-0x0000000000430000-0x000000000055E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1080-2-0x0000000004F00000-0x0000000004F9C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1080-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4396-18-0x0000000074790000-0x0000000074F40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4396-20-0x0000000006F70000-0x0000000006F76000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4396-21-0x0000000074790000-0x0000000074F40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4396-22-0x0000000074790000-0x0000000074F40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4396-19-0x0000000006920000-0x000000000693A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4396-25-0x0000000074790000-0x0000000074F40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4396-16-0x00000000001F0000-0x000000000031E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4396-17-0x0000000074790000-0x0000000074F40000-memory.dmp

    Filesize

    7.7MB

    Download