agenttesla | 576c49c08e0fdf319e6bd95e0f2f6aa92e2460e8b9032cfd732b51261f48b757

General

Target

Payment Copy.exe
Size

469KB
MD5

c8b2f3ed20b96d896efed10bc72f4bc7
SHA1

0ffb6dbd026bc5287c25f916de027409732d774f
SHA256

576c49c08e0fdf319e6bd95e0f2f6aa92e2460e8b9032cfd732b51261f48b757
SHA512

4bd875483128845c4fca5bef793220cb7680065cafdf95222353150f2642d9215bdcff1d8d3d835a920d880b8ad36c1f24ef1cd4f778d77dce8dc411c1cffafe

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
payment1759

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3496-2-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral2/memory/3496-3-0x0000000000446E3E-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Payment Copy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\newApp = "C:\\Users\\Admin\\AppData\\Roaming\\newApp\\newApp.exe"	Payment Copy.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment Copy.exe

description pid process target process

PID 3892 set thread context of 3496 3892 Payment Copy.exe Payment Copy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3612 schtasks.exe

description	pid	process	target process
PID 3892 set thread context of 3496	3892	Payment Copy.exe	Payment Copy.exe

pid	process
3612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Payment Copy.exePayment Copy.exe

pid	process
3892	Payment Copy.exe
3892	Payment Copy.exe
3892	Payment Copy.exe
3892	Payment Copy.exe
3892	Payment Copy.exe
3496	Payment Copy.exe
3496	Payment Copy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Payment Copy.exePayment Copy.exe

description pid process

Token: SeDebugPrivilege 3892 Payment Copy.exe
Token: SeDebugPrivilege 3496 Payment Copy.exe

description	pid	process
Token: SeDebugPrivilege	3892	Payment Copy.exe
Token: SeDebugPrivilege	3496	Payment Copy.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Payment Copy.exe

description	pid	process	target process
PID 3892 wrote to memory of 3612	3892	Payment Copy.exe	schtasks.exe
PID 3892 wrote to memory of 3612	3892	Payment Copy.exe	schtasks.exe
PID 3892 wrote to memory of 3612	3892	Payment Copy.exe	schtasks.exe
PID 3892 wrote to memory of 608	3892	Payment Copy.exe	Payment Copy.exe
PID 3892 wrote to memory of 608	3892	Payment Copy.exe	Payment Copy.exe
PID 3892 wrote to memory of 608	3892	Payment Copy.exe	Payment Copy.exe
PID 3892 wrote to memory of 492	3892	Payment Copy.exe	Payment Copy.exe
PID 3892 wrote to memory of 492	3892	Payment Copy.exe	Payment Copy.exe
PID 3892 wrote to memory of 492	3892	Payment Copy.exe	Payment Copy.exe
PID 3892 wrote to memory of 3496	3892	Payment Copy.exe	Payment Copy.exe
PID 3892 wrote to memory of 3496	3892	Payment Copy.exe	Payment Copy.exe
PID 3892 wrote to memory of 3496	3892	Payment Copy.exe	Payment Copy.exe
PID 3892 wrote to memory of 3496	3892	Payment Copy.exe	Payment Copy.exe
PID 3892 wrote to memory of 3496	3892	Payment Copy.exe	Payment Copy.exe
PID 3892 wrote to memory of 3496	3892	Payment Copy.exe	Payment Copy.exe
PID 3892 wrote to memory of 3496	3892	Payment Copy.exe	Payment Copy.exe
PID 3892 wrote to memory of 3496	3892	Payment Copy.exe	Payment Copy.exe

C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jzmHEyUpLAePqd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F2B.tmp"
2⤵
- Creates scheduled task(s)
PID:3612

C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"
2⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"
2⤵
PID:492

C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payment Copy.exe.log
MD5
ef140ef600b2463c9e7dbf064a104046

SHA1
c08fd1853877be95575ea2e860dd8cafef31f54c

SHA256
ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616

SHA512
bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F2B.tmp
MD5
ea5e4b6c5ae36b6899cd35d506839bc3

SHA1
ebb4f102f1c8dacd0525adc2694c3fca115d8ca2

SHA256
b4196e531c33485e913e1c4e4f000be17348e0838bf24d2d1a72cd944e17a9e8

SHA512
4b5526a7fa889a83d83e95bd7465388c95ee7bdee3ec6d5aa292462fccdc22308d4bddd678f706e9702109076c06fff0c12e44bd9e1b58293c7e1d62ae4cf3f3

Download Submit
memory/3496-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3496-3-0x0000000000446E3E-mapping.dmp

Download
memory/3612-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads