agenttesla | 0f2f011ab5408672f97b1fca323554daf40b35bbfed4e587bcffea8a08ccf979

General

Target

Payment slip.exe
Size

711KB
MD5

974a56eac20cc277e84a6ccbfb71ee6d
SHA1

6029d991f11141d1ffc2353cfe7eff6c77fdb4db
SHA256

0f2f011ab5408672f97b1fca323554daf40b35bbfed4e587bcffea8a08ccf979
SHA512

ebe0b1f580e636ce21cc1677eb122a12c9afda17000b3120b49de077c27df53fd213c877c038b55ab3cc6a9b8d90457f3db3812daa8eabc98e4dedfc2e1550f3

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.scottbyscott.com
Port:
587
Username:
[email protected]
Password:
ngozi8989

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1696-68-0x000000000043763E-mapping.dmp	family_agenttesla
behavioral1/memory/1696-67-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1696-69-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment slip.exe

description pid process target process

PID 1080 set thread context of 1696 1080 Payment slip.exe Payment slip.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

268 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Payment slip.exePayment slip.exe

pid process

1080 Payment slip.exe
1080 Payment slip.exe
1696 Payment slip.exe
1696 Payment slip.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Payment slip.exePayment slip.exe

description pid process

Token: SeDebugPrivilege 1080 Payment slip.exe
Token: SeDebugPrivilege 1696 Payment slip.exe

description	pid	process	target process
PID 1080 set thread context of 1696	1080	Payment slip.exe	Payment slip.exe

pid	process
268	schtasks.exe

pid	process
1080	Payment slip.exe
1080	Payment slip.exe
1696	Payment slip.exe
1696	Payment slip.exe

description	pid	process
Token: SeDebugPrivilege	1080	Payment slip.exe
Token: SeDebugPrivilege	1696	Payment slip.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Payment slip.exe

description	pid	process	target process
PID 1080 wrote to memory of 268	1080	Payment slip.exe	schtasks.exe
PID 1080 wrote to memory of 268	1080	Payment slip.exe	schtasks.exe
PID 1080 wrote to memory of 268	1080	Payment slip.exe	schtasks.exe
PID 1080 wrote to memory of 268	1080	Payment slip.exe	schtasks.exe
PID 1080 wrote to memory of 844	1080	Payment slip.exe	Payment slip.exe
PID 1080 wrote to memory of 844	1080	Payment slip.exe	Payment slip.exe
PID 1080 wrote to memory of 844	1080	Payment slip.exe	Payment slip.exe
PID 1080 wrote to memory of 844	1080	Payment slip.exe	Payment slip.exe
PID 1080 wrote to memory of 1696	1080	Payment slip.exe	Payment slip.exe
PID 1080 wrote to memory of 1696	1080	Payment slip.exe	Payment slip.exe
PID 1080 wrote to memory of 1696	1080	Payment slip.exe	Payment slip.exe
PID 1080 wrote to memory of 1696	1080	Payment slip.exe	Payment slip.exe
PID 1080 wrote to memory of 1696	1080	Payment slip.exe	Payment slip.exe
PID 1080 wrote to memory of 1696	1080	Payment slip.exe	Payment slip.exe
PID 1080 wrote to memory of 1696	1080	Payment slip.exe	Payment slip.exe
PID 1080 wrote to memory of 1696	1080	Payment slip.exe	Payment slip.exe
PID 1080 wrote to memory of 1696	1080	Payment slip.exe	Payment slip.exe

C:\Users\Admin\AppData\Local\Temp\Payment slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OgcdgnFRYrN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp692E.tmp"
2⤵
- Creates scheduled task(s)
PID:268

C:\Users\Admin\AppData\Local\Temp\Payment slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
2⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\Payment slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp692E.tmp
MD5
7f80a1ef0bde7b6933887863e9fb386b

SHA1
8f323489e992b6b37250d188e3d0963ff1dd3869

SHA256
909cd18a673f4608c4d771c2688f7c08f11789bef8ac013ab9ca43f9b6e0a220

SHA512
3c3576389ad18b94ae5db3b1e0055da9c504ee1cc48c3a4820a34f3bb643731a85751c6e684fb6fb5627002f3f713e04156947b0d94127a6a115d7f03828b89c

Download Submit
memory/268-65-0x0000000000000000-mapping.dmp

Download
memory/1080-59-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1080-61-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1080-62-0x0000000000760000-0x000000000077B000-memory.dmp

Filesize
108KB

Download
memory/1080-63-0x0000000005D40000-0x0000000005DBB000-memory.dmp

Filesize
492KB

Download
memory/1080-64-0x0000000000C50000-0x0000000000C8D000-memory.dmp

Filesize
244KB

Download
memory/1696-68-0x000000000043763E-mapping.dmp

Download
memory/1696-67-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1696-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1696-71-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads