agenttesla | 5654964b039231ce7a956b13d9c55c412ad05387b0f9b3dd800f2030eb1761d0

General

Target

Payment Advice.exe
Size

418KB
MD5

ffdaaef92b097c2edb85b1bdcf302b74
SHA1

5065f1b6378fa9f7d4793a93627ac3dd98a30bcd
SHA256

5654964b039231ce7a956b13d9c55c412ad05387b0f9b3dd800f2030eb1761d0
SHA512

0e17c8ee3afa0d497839d6868a46932652e3a21df3f5104b0b7cab68bf5fddf8bf2dc2bfa577bcc576b5c401ef6d7afa5e70726a47594684de159a8f06b0a7d6

Score

10^/10

spyware persistence keylogger trojan stealer agenttesla

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

Payment Advice.exePayment Advice.exe

description	pid	process	target process
PID 1492 wrote to memory of 1820	1492	Payment Advice.exe	schtasks.exe
PID 1492 wrote to memory of 1820	1492	Payment Advice.exe	schtasks.exe
PID 1492 wrote to memory of 1820	1492	Payment Advice.exe	schtasks.exe
PID 1492 wrote to memory of 1820	1492	Payment Advice.exe	schtasks.exe
PID 1492 wrote to memory of 1836	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 1836	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 1836	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 1836	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 1832	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 1832	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 1832	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 1832	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 316	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 316	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 316	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 316	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 652	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 652	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 652	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 652	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 652	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 652	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 652	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 652	1492	Payment Advice.exe	Payment Advice.exe
PID 1492 wrote to memory of 652	1492	Payment Advice.exe	Payment Advice.exe
PID 652 wrote to memory of 1776	652	Payment Advice.exe	netsh.exe
PID 652 wrote to memory of 1776	652	Payment Advice.exe	netsh.exe
PID 652 wrote to memory of 1776	652	Payment Advice.exe	netsh.exe
PID 652 wrote to memory of 1776	652	Payment Advice.exe	netsh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Payment Advice.exePayment Advice.exe

description pid process

Token: SeDebugPrivilege 1492 Payment Advice.exe
Token: SeDebugPrivilege 652 Payment Advice.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Payment Advice.exePayment Advice.exe

pid process

1492 Payment Advice.exe
1492 Payment Advice.exe
1492 Payment Advice.exe
652 Payment Advice.exe
652 Payment Advice.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment Advice.exe

description pid process target process

PID 1492 set thread context of 652 1492 Payment Advice.exe Payment Advice.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Payment Advice.exe

pid process

652 Payment Advice.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1820 schtasks.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process
Token: SeDebugPrivilege	1492	Payment Advice.exe
Token: SeDebugPrivilege	652	Payment Advice.exe

pid	process
1492	Payment Advice.exe
1492	Payment Advice.exe
1492	Payment Advice.exe
652	Payment Advice.exe
652	Payment Advice.exe

description	pid	process	target process
PID 1492 set thread context of 652	1492	Payment Advice.exe	Payment Advice.exe

pid	process
652	Payment Advice.exe

pid	process
1820	schtasks.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1492

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyDraNWzCWcb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD0F4.tmp"
2⤵
- Creates scheduled task(s)
PID:1820

C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
"{path}"
2⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
"{path}"
2⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
"{path}"
2⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:652

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
- Modifies service
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Modify Existing Service

1

T1031

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD0F4.tmp

Download Submit
memory/652-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/652-3-0x000000000044C92E-mapping.dmp

Download
memory/652-4-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/652-5-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1776-6-0x0000000000000000-mapping.dmp

Download
memory/1820-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads