agenttesla | c12e031a1e589282b9d1833184ff2153a57d324a0f60c86fb6e836e7b09c43a8

General

Target

Payment-Receipt.scr
Size

547KB
MD5

d878c38dcae8eb7855f194b29fde64e3
SHA1

a3c6e85f4ec15bffbdf1523564816d93e447a56b
SHA256

7fc2806d0821e5367c81773db3f59020ca283312b9975ef3ee19c139af0a4d69
SHA512

8ffa3435a879bf396a0e9482d8a14675e627b61256e49d12f29fe99cd0cf55718c3b807a033068c07a09e6188f30f6f4903a15e5310f1d5b17db45f12e73fcee

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 15 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4260-134-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/4260-137-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/4260-138-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/4260-140-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/4260-139-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/4260-141-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/4260-143-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/4260-142-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/4260-145-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/4260-147-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/4260-148-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/4260-151-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/4260-153-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/4260-154-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/4260-156-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Payment-Receipt.scr

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment-Receipt.scr

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Payment-Receipt.scr

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment-Receipt.scr
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment-Receipt.scr
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment-Receipt.scr

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Payment-Receipt.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Window Updater\\Window Updater.exe"	Payment-Receipt.scr

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

48 checkip.amazonaws.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment-Receipt.scr

description pid process target process

PID 2896 set thread context of 4260 2896 Payment-Receipt.scr Payment-Receipt.scr
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4896 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Payment-Receipt.scr

pid process

4260 Payment-Receipt.scr
4260 Payment-Receipt.scr
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Payment-Receipt.scr

description pid process

Token: SeDebugPrivilege 4260 Payment-Receipt.scr
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Payment-Receipt.scr

pid process

4260 Payment-Receipt.scr

flow	ioc
48	checkip.amazonaws.com

description	pid	process	target process
PID 2896 set thread context of 4260	2896	Payment-Receipt.scr	Payment-Receipt.scr

pid	process
4896	schtasks.exe

pid	process
4260	Payment-Receipt.scr
4260	Payment-Receipt.scr

description	pid	process
Token: SeDebugPrivilege	4260	Payment-Receipt.scr

pid	process
4260	Payment-Receipt.scr

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Payment-Receipt.scr

description	pid	process	target process
PID 2896 wrote to memory of 4896	2896	Payment-Receipt.scr	schtasks.exe
PID 2896 wrote to memory of 4896	2896	Payment-Receipt.scr	schtasks.exe
PID 2896 wrote to memory of 4896	2896	Payment-Receipt.scr	schtasks.exe
PID 2896 wrote to memory of 4260	2896	Payment-Receipt.scr	Payment-Receipt.scr
PID 2896 wrote to memory of 4260	2896	Payment-Receipt.scr	Payment-Receipt.scr
PID 2896 wrote to memory of 4260	2896	Payment-Receipt.scr	Payment-Receipt.scr
PID 2896 wrote to memory of 4260	2896	Payment-Receipt.scr	Payment-Receipt.scr
PID 2896 wrote to memory of 4260	2896	Payment-Receipt.scr	Payment-Receipt.scr
PID 2896 wrote to memory of 4260	2896	Payment-Receipt.scr	Payment-Receipt.scr
PID 2896 wrote to memory of 4260	2896	Payment-Receipt.scr	Payment-Receipt.scr
PID 2896 wrote to memory of 4260	2896	Payment-Receipt.scr	Payment-Receipt.scr

outlook_office_path 1 IoCs

Processes:

Payment-Receipt.scr

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment-Receipt.scr

outlook_win_path 1 IoCs

Processes:

Payment-Receipt.scr

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment-Receipt.scr

C:\Users\Admin\AppData\Local\Temp\Payment-Receipt.scr
"C:\Users\Admin\AppData\Local\Temp\Payment-Receipt.scr" /S
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhwDIlhqTdra" /XML "C:\Users\Admin\AppData\Local\Temp\tmp10A9.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4896
- C:\Users\Admin\AppData\Local\Temp\Payment-Receipt.scr
  "{path}"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:4260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payment-Receipt.scr.log

Filesize
586B

MD5
e7754d33dec8483aeec8793fa480d33f

SHA1
e273f70ee5466ba99bd2d6024796190fc175a128

SHA256
aabf1eaeba67481fc676126b41599b7dcd9dfa5821f1cb0599d088dc1ce1e743

SHA512
68a769c8287f8d3846e7c09fed441a6684416b0ced66a6a6d8183c4dd7a24c85c83fd2c77fa0471056ca1edcb435ead38a3de2cfae4869558b166c0a26928c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp10A9.tmp

Filesize
1KB

MD5
f1942505c775c710146ff289055c989c

SHA1
f8a442044276db4c4c359658f07e14a754893be1

SHA256
93d2ceaafb9ef267562f89c7305c6d237c3beb07325b8c40b543690b11cc85d5

SHA512
f8c815fe406ea5e94aed2acca5f4b871409ba1de2d36939579bfab76aa69c5e27a4a5b5795b3bc973fb3b7c40afe3f9bf06f18f98a5a97cd87587d0747c18dcd

Download Submit
memory/2896-130-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4260-141-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-142-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-133-0x0000000000000000-mapping.dmp

Download
memory/4260-137-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-138-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-140-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-139-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-157-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4260-143-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-134-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-145-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-147-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-148-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-151-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-153-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-154-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4260-156-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4896-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads