agenttesla | 1018aa0f641a722fc61ac3135050ab53f6562f6050b40c679d02b2f8b745960f

General

Target

PAYMEN~0.SCR
Size

92KB
MD5

fd8a66ce8c50c375cca9bd9b5408e173
SHA1

ef344ca7340100a9cc1ec8049fcdaafad9b70422
SHA256

1018aa0f641a722fc61ac3135050ab53f6562f6050b40c679d02b2f8b745960f
SHA512

73b0c9e8f53b24eef223e4565cee232f94f4ee4df61836e734793cb534ae3a4cb8ef72b2febdb8fbefedb173f3a9ca5355bba9512d1825eea980652030456a4b

Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.tccinfaes.com
Port:
587
Username:
[email protected]
Password:
TccBps1427log

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/572-75-0x0000000000400000-0x0000000000553000-memory.dmp	family_agenttesla

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PAYMEN~0.SCRcaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	PAYMEN~0.SCR
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

572 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

PAYMEN~0.SCRcaspol.exe

pid process

1416 PAYMEN~0.SCR
572 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

PAYMEN~0.SCR

description pid process target process

PID 1416 set thread context of 572 1416 PAYMEN~0.SCR caspol.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

caspol.exe

pid process

572 caspol.exe
572 caspol.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PAYMEN~0.SCR

pid process

1416 PAYMEN~0.SCR
1416 PAYMEN~0.SCR
1416 PAYMEN~0.SCR
1416 PAYMEN~0.SCR
1416 PAYMEN~0.SCR
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

caspol.exe

description pid process

Token: SeDebugPrivilege 572 caspol.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PAYMEN~0.SCR

pid process

1416 PAYMEN~0.SCR

pid	process
572	caspol.exe

pid	process
1416	PAYMEN~0.SCR
572	caspol.exe

description	pid	process	target process
PID 1416 set thread context of 572	1416	PAYMEN~0.SCR	caspol.exe

pid	process
572	caspol.exe
572	caspol.exe

pid	process
1416	PAYMEN~0.SCR
1416	PAYMEN~0.SCR
1416	PAYMEN~0.SCR
1416	PAYMEN~0.SCR
1416	PAYMEN~0.SCR

description	pid	process
Token: SeDebugPrivilege	572	caspol.exe

pid	process
1416	PAYMEN~0.SCR

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

PAYMEN~0.SCR

description	pid	process	target process
PID 1416 wrote to memory of 472	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 472	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 472	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 472	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 516	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 516	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 516	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 516	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 1396	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 1396	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 1396	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 1396	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 1476	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 1476	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 1476	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 1476	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 572	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 572	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 572	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 572	1416	PAYMEN~0.SCR	caspol.exe
PID 1416 wrote to memory of 572	1416	PAYMEN~0.SCR	caspol.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Users\Admin\AppData\Local\Temp\PAYMEN~0.SCR
"C:\Users\Admin\AppData\Local\Temp\PAYMEN~0.SCR" /S
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMEN~0.SCR" /S
2⤵
PID:472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMEN~0.SCR" /S
2⤵
PID:516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMEN~0.SCR" /S
2⤵
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMEN~0.SCR" /S
2⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMEN~0.SCR" /S
2⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/572-70-0x0000000000210000-0x0000000000310000-memory.dmp

Filesize
1024KB

Download
memory/572-79-0x000000001DBF1000-0x000000001DBF2000-memory.dmp

Filesize
4KB

Download
memory/572-78-0x000000001DBF0000-0x000000001DBF1000-memory.dmp

Filesize
4KB

Download
memory/572-76-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/572-75-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/572-74-0x0000000077370000-0x00000000774F0000-memory.dmp

Filesize
1.5MB

Download
memory/572-66-0x0000000000FD768E-mapping.dmp

Download
memory/572-73-0x0000000077190000-0x0000000077339000-memory.dmp

Filesize
1.7MB

Download
memory/1416-59-0x0000000077190000-0x0000000077339000-memory.dmp

Filesize
1.7MB

Download
memory/1416-67-0x0000000077370000-0x00000000774F0000-memory.dmp

Filesize
1.5MB

Download
memory/1416-69-0x0000000077370000-0x00000000774F0000-memory.dmp

Filesize
1.5MB

Download
memory/1416-68-0x0000000077370000-0x00000000774F0000-memory.dmp

Filesize
1.5MB

Download
memory/1416-60-0x0000000077370000-0x00000000774F0000-memory.dmp

Filesize
1.5MB

Download
memory/1416-54-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1416-58-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/1416-56-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/1416-55-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads