Overview

overview

10

Static

static

1

Balance payment.exe

windows7-x64

10

Balance payment.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2024 07:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Balance payment.exe

  • Size

    1.4MB

  • MD5

    86e5efa7d3dce6320ffcdfc12f628cba

  • SHA1

    d3d26c7eddb95e028c13b97f94f330e5ad5dbba4

  • SHA256

    07c65671acce67cfa5a214ce2285563f6b3eaeadd5afbcd21bcaa42a536f7ba6

  • SHA512

    cb5d2fa04260b9ca8b8200dfa8881d82ae7cd701822c0cb3c8df5846a6f315c60475a39dc9048094d78fc8c2be21e4df734b805ac2f205c3c67b1a1b89cd8e23

  • SSDEEP

    24576:ivrA5SXIIYCcp3WLcndXJp80oPQZ3aO30KISlm7mgXKrqEKdCSu59m6nnjqKoe:ivOkRYCcp3ZrpBooF1Tm6g6rFKdg9rjF

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
    "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OkbpwNyH.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2316
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OkbpwNyH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB56A.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2780
    • C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
      "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3044
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wlBldyvi.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1872
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE698.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3064
      • C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
        "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpB56A.tmp
    Filesize

    1KB

    MD5

    ac6065f5e44ec98e6a947b6a5120493f

    SHA1

    11b150d83782a3af3a3f3c2359e6ff770abc4d03

    SHA256

    72516bc0e719ea36a90bd5c8cde5aaf9d4155e9541f534237a7c13469126fa3f

    SHA512

    0f1243f8b412d1a70ecf06cfa3df30f893949985a264c1d95228aad015251c479eb1b613ae61e06b18bc6e4efa230c3de3f6b1027a398e11d3c45ea716fa8ed7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpE698.tmp
    Filesize

    1KB

    MD5

    d152d98c4f8e50fdc607f2d7f036ccac

    SHA1

    d732523f87632008051354a1864bac14058efa0e

    SHA256

    d88692fe8cfefc22697def3e3855c42a13075b2b4d2ed43623a9993b22ba14eb

    SHA512

    32fd7e460e0c868accbeb22bc51e9655df2b08005388391ce93300481611e680d7fce8d4df6633558ff8a62e0e22ea0d49423b91e9936277eecb66637ab6c4ff

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    46794fc62b44341fe1eb3d6762ebe8e8

    SHA1

    2ce32af42aba86001bec18224763c3192e3176af

    SHA256

    e7d4567596d00bf8417278c47d2c29f8022c74e98d88483fd178b8b2956f3979

    SHA512

    9efc444506922a6355d431e6c0b0e3d8f641a6b65d9395c75b04a8261f94a107a88ba1a7e907609588546670e1b4a9fbaf0b8a71599f9b9b85ab2b46745da8c4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wlBldyvi.exe
    Filesize

    1.4MB

    MD5

    86e5efa7d3dce6320ffcdfc12f628cba

    SHA1

    d3d26c7eddb95e028c13b97f94f330e5ad5dbba4

    SHA256

    07c65671acce67cfa5a214ce2285563f6b3eaeadd5afbcd21bcaa42a536f7ba6

    SHA512

    cb5d2fa04260b9ca8b8200dfa8881d82ae7cd701822c0cb3c8df5846a6f315c60475a39dc9048094d78fc8c2be21e4df734b805ac2f205c3c67b1a1b89cd8e23

    Download Submit

  • memory/652-55-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/652-57-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/652-59-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/652-62-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/652-65-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/652-63-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/652-53-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2228-32-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2228-33-0x0000000004F10000-0x0000000004FB0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2228-34-0x00000000003F0000-0x0000000000400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2228-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-30-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2228-29-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2228-22-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2228-20-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2228-26-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2228-36-0x00000000054C0000-0x0000000005542000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2228-24-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2280-4-0x0000000000510000-0x0000000000520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-1-0x00000000011F0000-0x000000000135E000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2280-35-0x0000000073EC0000-0x00000000745AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2280-3-0x0000000004EA0000-0x0000000004FCE000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2280-2-0x0000000073EC0000-0x00000000745AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2280-0-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2280-7-0x0000000005CC0000-0x0000000005DD6000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2280-6-0x0000000073EC0000-0x00000000745AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2280-5-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

    Filesize

    4KB

    Download