agenttesla | d318c7afbf8a03285e0f3b504491b573b295d60e98a605ef4b9e1546e38a0764

General

Target

Payment Swift #INV0189733-pdf.exe
Size

674KB
MD5

041a15f94d91d76249e1f18726779af6
SHA1

a142fb148f008e8492b9068d419692884ae0167d
SHA256

b5092e8fd4d7a8b9649b376301ea125eb63d8a5a04360c87a8140200ff31c478
SHA512

7181a863c493df25c1bd874653ddc4ceb9e4ed036b8059326564ba7f1ec6f36951cde910507f5761b0d5a3448c0140ce6c30cb7720b01cfc481e9c3d4d7801e8

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.exgold-co.tk
Port:
587
Username:
[email protected]
Password:
001commander

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3704-137-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Payment Swift #INV0189733-pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Payment Swift #INV0189733-pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment Swift #INV0189733-pdf.exe

description pid process target process

PID 2684 set thread context of 3704 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3856 schtasks.exe

description	pid	process	target process
PID 2684 set thread context of 3704	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe

pid	process
3856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

Payment Swift #INV0189733-pdf.exePayment Swift #INV0189733-pdf.exe

pid	process
2684	Payment Swift #INV0189733-pdf.exe
2684	Payment Swift #INV0189733-pdf.exe
2684	Payment Swift #INV0189733-pdf.exe
2684	Payment Swift #INV0189733-pdf.exe
2684	Payment Swift #INV0189733-pdf.exe
2684	Payment Swift #INV0189733-pdf.exe
2684	Payment Swift #INV0189733-pdf.exe
2684	Payment Swift #INV0189733-pdf.exe
2684	Payment Swift #INV0189733-pdf.exe
2684	Payment Swift #INV0189733-pdf.exe
2684	Payment Swift #INV0189733-pdf.exe
2684	Payment Swift #INV0189733-pdf.exe
2684	Payment Swift #INV0189733-pdf.exe
3704	Payment Swift #INV0189733-pdf.exe
3704	Payment Swift #INV0189733-pdf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Payment Swift #INV0189733-pdf.exePayment Swift #INV0189733-pdf.exe

description pid process

Token: SeDebugPrivilege 2684 Payment Swift #INV0189733-pdf.exe
Token: SeDebugPrivilege 3704 Payment Swift #INV0189733-pdf.exe

description	pid	process
Token: SeDebugPrivilege	2684	Payment Swift #INV0189733-pdf.exe
Token: SeDebugPrivilege	3704	Payment Swift #INV0189733-pdf.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Payment Swift #INV0189733-pdf.exe

C:\Users\Admin\AppData\Local\Temp\Payment Swift #INV0189733-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Swift #INV0189733-pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBernDqBhwj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp29FE.tmp"
2⤵
- Creates scheduled task(s)
PID:3856

C:\Users\Admin\AppData\Local\Temp\Payment Swift #INV0189733-pdf.exe
"{path}"
2⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\Payment Swift #INV0189733-pdf.exe
"{path}"
2⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\Payment Swift #INV0189733-pdf.exe
"{path}"
2⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\Payment Swift #INV0189733-pdf.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payment Swift #INV0189733-pdf.exe.log
Filesize
496B

MD5
7baa6583f69f63f7230df9bf98448356

SHA1
fe9eb85b57192362da704a3c130377fe83862320

SHA256
a632504621b4cac1d5ba5465c7ad9b30f3d036e9838682506782124a211bed4f

SHA512
0e72541791281c0fdac1f5fc6beea0b9eb8766b2a386aecb92cb8a44e5b59b7114c79194393ddeff957ffe86021a311caed7ce2731b863d97ad441870efbc051

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp29FE.tmp
Filesize
1KB

MD5
e9428daedb206e4cfacb4dc483a7afbd

SHA1
18730fb880a574907584e1ecc20df8a4a41a7b04

SHA256
d56149b9d0f59215075088b0336b653729258b4824b59b1446be507423d8c270

SHA512
de8f539dc5a66638e433d17cab20c565764bd81316efd36766013c393d20f8d3274ef1589cc05cc34e1d40e069b81df9ba82a59f6c6958049e4ef70439ebed31

Download Submit
memory/460-134-0x0000000000000000-mapping.dmp

Download
memory/1448-133-0x0000000000000000-mapping.dmp

Download
memory/2684-130-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3704-136-0x0000000000000000-mapping.dmp

Download
memory/3704-137-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3704-139-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/3856-131-0x0000000000000000-mapping.dmp

Download
memory/3948-135-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 2684 wrote to memory of 3856	2684	Payment Swift #INV0189733-pdf.exe	schtasks.exe
PID 2684 wrote to memory of 3856	2684	Payment Swift #INV0189733-pdf.exe	schtasks.exe
PID 2684 wrote to memory of 3856	2684	Payment Swift #INV0189733-pdf.exe	schtasks.exe
PID 2684 wrote to memory of 1448	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 1448	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 1448	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 460	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 460	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 460	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 3948	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 3948	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 3948	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 3704	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 3704	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 3704	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 3704	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 3704	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 3704	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 3704	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe
PID 2684 wrote to memory of 3704	2684	Payment Swift #INV0189733-pdf.exe	Payment Swift #INV0189733-pdf.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads