agenttesla | c70bf2aeaa6b9f644dadc0617debe3ec20671adc1e2ee8c60a8a932bf99e3c63

General

Target

PAYMENT COPY.exe
Size

911KB
MD5

497fdb0a1fa8970ac4e81aa66278b6ed
SHA1

5bacbe7521f6d6de1a7efc85d92fddf7fd358b21
SHA256

c70bf2aeaa6b9f644dadc0617debe3ec20671adc1e2ee8c60a8a932bf99e3c63
SHA512

b52fccf2ff91ae3a4ed7d87ba14ba715a8780e7004e632995949757fc3f414312f12c1c141d5033c3764cfcbd6955644514ff1961813fe5551cace35cdfa66f1

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.dadabhoy.edu.pk
Port:
587
Username:
ghulam.sarwar@dadabhoy.edu.pk
Password:
Dadabhoy.456

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1944-117-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/1944-118-0x000000000043754E-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

PAYMENT COPY.exe

description pid process target process

PID 640 set thread context of 1944 640 PAYMENT COPY.exe PAYMENT COPY.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3828 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

PAYMENT COPY.exePAYMENT COPY.exe

pid process

640 PAYMENT COPY.exe
640 PAYMENT COPY.exe
640 PAYMENT COPY.exe
1944 PAYMENT COPY.exe
1944 PAYMENT COPY.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PAYMENT COPY.exePAYMENT COPY.exe

description pid process

Token: SeDebugPrivilege 640 PAYMENT COPY.exe
Token: SeDebugPrivilege 1944 PAYMENT COPY.exe

description	pid	process	target process
PID 640 set thread context of 1944	640	PAYMENT COPY.exe	PAYMENT COPY.exe

pid	process
3828	schtasks.exe

pid	process
640	PAYMENT COPY.exe
640	PAYMENT COPY.exe
640	PAYMENT COPY.exe
1944	PAYMENT COPY.exe
1944	PAYMENT COPY.exe

description	pid	process
Token: SeDebugPrivilege	640	PAYMENT COPY.exe
Token: SeDebugPrivilege	1944	PAYMENT COPY.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

PAYMENT COPY.exe

description	pid	process	target process
PID 640 wrote to memory of 3828	640	PAYMENT COPY.exe	schtasks.exe
PID 640 wrote to memory of 3828	640	PAYMENT COPY.exe	schtasks.exe
PID 640 wrote to memory of 3828	640	PAYMENT COPY.exe	schtasks.exe
PID 640 wrote to memory of 1020	640	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 640 wrote to memory of 1020	640	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 640 wrote to memory of 1020	640	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 640 wrote to memory of 1944	640	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 640 wrote to memory of 1944	640	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 640 wrote to memory of 1944	640	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 640 wrote to memory of 1944	640	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 640 wrote to memory of 1944	640	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 640 wrote to memory of 1944	640	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 640 wrote to memory of 1944	640	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 640 wrote to memory of 1944	640	PAYMENT COPY.exe	PAYMENT COPY.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XJjZTrL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp417A.tmp"
2⤵
- Creates scheduled task(s)
PID:3828

C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
2⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PAYMENT COPY.exe.log
MD5
5e7bb97636a484b5a87e60373614279a

SHA1
36bfdec32eedb141a4a106d89a453326f62593ee

SHA256
12ed6e1df2c57556c59dfd6630fd454a9df76166f340c41ee6bc54d98e709e20

SHA512
448c62d538e646045d7315ff902b86f614e2dc1eb0959c22c6618fd2c8767c330d24692357559310e6b55b0c35415a14a6ab2d6d9b8d2a03186949b97190fd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp417A.tmp
MD5
5ec0d09fb55c167b7fec5b30ccac17e6

SHA1
50136f896cc6b7882a68c09ce424350dbf7ab245

SHA256
b905c0723cfe3680d8f4275b2befa81289268884f61efac46b79beb56401f21f

SHA512
cd1f8a6028c9c585197aa17988359be47a1ac4007dba8160148492964465a2fd52f79ee1b43ae63dd83e79de773b2aa6f09b398076417d198be89b442821d917

Download Submit
memory/640-114-0x0000000000900000-0x0000000000A4A000-memory.dmp

Filesize
1.3MB

Download
memory/1944-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1944-118-0x000000000043754E-mapping.dmp

Download
memory/1944-120-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/1944-121-0x0000000001181000-0x0000000001182000-memory.dmp

Filesize
4KB

Download
memory/3828-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads