Overview

overview

10

Static

static

3

payment_slip.exe

windows7-x64

10

payment_slip.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2025 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payment_slip.exe

  • Size

    743KB

  • MD5

    b2e13b5a8173ef717d056a348001e4cc

  • SHA1

    ebd6d6d14aaaaf47cb891406b834d5505e088271

  • SHA256

    139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924

  • SHA512

    ec8fecc4f545980209fd4a81187ff3cbec224ddf568bf007dba99b86daf4d48b1538e8fcc13ccb85b6e1000ecfcc7e25c6a92c17fa50dcb53da41784d181d91e

  • SSDEEP

    12288:iDCu7+JNLLzmHjR/Qw1iO116TWWaQjqF0UKWx2l+g05MjFvP990MeU4KBomWf:z/JlLKDRQwt4abQGF9xs+g0uFvwUlGmE

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\payment_slip.exe
    "C:\Users\Admin\AppData\Local\Temp\payment_slip.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment_slip.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xprNhn.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2908
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xprNhn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEFFA.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3028
    • C:\Users\Admin\AppData\Local\Temp\payment_slip.exe
      "C:\Users\Admin\AppData\Local\Temp\payment_slip.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpEFFA.tmp
    Filesize

    1KB

    MD5

    94c54b0ed9c2b51684dd7003133776ee

    SHA1

    33bc623dfcf1e8f8f06c5fe181776a1bc9720c92

    SHA256

    00863f169279a8b1a3eac34fff3a5d15171fde7d5a14757dff91cbbfbf273a36

    SHA512

    f7fe961bbdf0df60a7beeb0bf5a661eff16c15b5b5141a10be98ef9dc5d22f1cf3a2ea105cee04e23e8d1e99c4cfe611902d0318dc761f6259f5acc4c8104cd3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YDZ91378FW4P430XC12N.temp
    Filesize

    7KB

    MD5

    ba7571999a25a2123374260b556c9ff8

    SHA1

    1e8e1a07b2b2f8233b816ffb5a0e41f573cabbbd

    SHA256

    ad048b6c4af8d833cacfc46f241bdd449f1c770c1abbf9431a1e874ecd7ea211

    SHA512

    da009b370d3b752718ba4b83bb1ddde48fe69d71be5fec0f8809efd2f9f60d00c46145a0cd5c7f0bf73f3d778068c191778c0656088c19e95a86a892273a5d11

    Download Submit

  • memory/2112-4-0x000000007485E000-0x000000007485F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-32-0x0000000074850000-0x0000000074F3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2112-0-0x000000007485E000-0x000000007485F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-5-0x0000000074850000-0x0000000074F3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2112-6-0x00000000041C0000-0x0000000004246000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2112-2-0x0000000074850000-0x0000000074F3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2112-1-0x0000000000B20000-0x0000000000BE0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2112-3-0x0000000000440000-0x000000000045E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2844-19-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2844-31-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2844-29-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2844-28-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2844-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2844-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2844-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2844-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download