agenttesla | ec6a3f5f18f8043573bb5f88f3c6409755c03ed9cff4605b27adf8143c92dd76

Analysis

max time kernel
136s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Slip.exe
Size

560KB
MD5

d436adeaeda394dd9aae8361cb0b16f3
SHA1

49bcf22be48d8064ee369544873ba0546a48fcb1
SHA256

6426bb813f2c02db79c20887cdbb42bbb8a3c0f12b34369fe24150408eaf8f8b
SHA512

859d3795952f0e5a9fffb9ccecab1d30c4fac023b85a27d3cfca56b35a3627f56c96a2b99f4abdcc5226f2ab22da2a1f164cddd6bc6d21cd45a16282529bedb5

Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
homeboy12345

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/780-66-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/780-67-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/780-69-0x000000000044CDCE-mapping.dmp	family_agenttesla
behavioral1/memory/780-68-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/780-71-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/780-73-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/380-57-0x00000000006F0000-0x000000000074A000-memory.dmp	rezer0

Drops file in Drivers directory 1 IoCs

Processes:

Payment Slip.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Payment Slip.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Payment Slip.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Payment Slip.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Payment Slip.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Payment Slip.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Payment Slip.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	Payment Slip.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Payment Slip.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Payment Slip.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment Slip.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment Slip.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment Slip.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Payment Slip.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppData = "C:\\Users\\Admin\\AppData\\Roaming\\AppData\\AppData.exe"	Payment Slip.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Payment Slip.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Payment Slip.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Payment Slip.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment Slip.exe

description pid process target process

PID 380 set thread context of 780 380 Payment Slip.exe Payment Slip.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

680 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

1008 REG.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exePayment Slip.exePayment Slip.exe

pid process

1004 powershell.exe
380 Payment Slip.exe
780 Payment Slip.exe
780 Payment Slip.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Payment Slip.exe

pid process

780 Payment Slip.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exePayment Slip.exePayment Slip.exe

description pid process

Token: SeDebugPrivilege 1004 powershell.exe
Token: SeDebugPrivilege 380 Payment Slip.exe
Token: SeDebugPrivilege 780 Payment Slip.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Payment Slip.exe

pid process

780 Payment Slip.exe

description	pid	process	target process
PID 380 set thread context of 780	380	Payment Slip.exe	Payment Slip.exe

pid	process
680	schtasks.exe

pid	process
1008	REG.exe

pid	process
1004	powershell.exe
380	Payment Slip.exe
780	Payment Slip.exe
780	Payment Slip.exe

pid	process
780	Payment Slip.exe

description	pid	process
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	380	Payment Slip.exe
Token: SeDebugPrivilege	780	Payment Slip.exe

pid	process
780	Payment Slip.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

Payment Slip.exePayment Slip.exe

description	pid	process	target process
PID 380 wrote to memory of 1004	380	Payment Slip.exe	powershell.exe
PID 380 wrote to memory of 1004	380	Payment Slip.exe	powershell.exe
PID 380 wrote to memory of 1004	380	Payment Slip.exe	powershell.exe
PID 380 wrote to memory of 1004	380	Payment Slip.exe	powershell.exe
PID 380 wrote to memory of 680	380	Payment Slip.exe	schtasks.exe
PID 380 wrote to memory of 680	380	Payment Slip.exe	schtasks.exe
PID 380 wrote to memory of 680	380	Payment Slip.exe	schtasks.exe
PID 380 wrote to memory of 680	380	Payment Slip.exe	schtasks.exe
PID 380 wrote to memory of 780	380	Payment Slip.exe	Payment Slip.exe
PID 380 wrote to memory of 780	380	Payment Slip.exe	Payment Slip.exe
PID 380 wrote to memory of 780	380	Payment Slip.exe	Payment Slip.exe
PID 380 wrote to memory of 780	380	Payment Slip.exe	Payment Slip.exe
PID 380 wrote to memory of 780	380	Payment Slip.exe	Payment Slip.exe
PID 380 wrote to memory of 780	380	Payment Slip.exe	Payment Slip.exe
PID 380 wrote to memory of 780	380	Payment Slip.exe	Payment Slip.exe
PID 380 wrote to memory of 780	380	Payment Slip.exe	Payment Slip.exe
PID 380 wrote to memory of 780	380	Payment Slip.exe	Payment Slip.exe
PID 780 wrote to memory of 1008	780	Payment Slip.exe	REG.exe
PID 780 wrote to memory of 1008	780	Payment Slip.exe	REG.exe
PID 780 wrote to memory of 1008	780	Payment Slip.exe	REG.exe
PID 780 wrote to memory of 1008	780	Payment Slip.exe	REG.exe
PID 780 wrote to memory of 2004	780	Payment Slip.exe	netsh.exe
PID 780 wrote to memory of 2004	780	Payment Slip.exe	netsh.exe
PID 780 wrote to memory of 2004	780	Payment Slip.exe	netsh.exe
PID 780 wrote to memory of 2004	780	Payment Slip.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

Payment Slip.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment Slip.exe

outlook_win_path 1 IoCs

Processes:

Payment Slip.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment Slip.exe

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
1⤵
- Checks BIOS information in registry
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gjIgVtzINQqI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4BEF.tmp"
2⤵
- Creates scheduled task(s)
PID:680

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"{path}"
2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:780

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:1008

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4BEF.tmp

Filesize
1KB

MD5
e23b72e56982918a886124f76762ebdc

SHA1
248d9590c3b5be2e2e11b719d09c9fa9712cebaa

SHA256
c0f334435583cf0a3d59431837b6abce08d66843f77bbd2950a36592b82bd237

SHA512
9401f83f0fee93da8ae24831dacfa9cabc952806dd15366ff17e0aba746f01a4b03f99882dae668a51e788105fa1f2ce48c6706eaa7f063e779911e40f301d0d

Download Submit
memory/380-55-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/380-56-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/380-57-0x00000000006F0000-0x000000000074A000-memory.dmp

Filesize
360KB

Download
memory/380-54-0x0000000001380000-0x0000000001412000-memory.dmp

Filesize
584KB

Download
memory/680-61-0x0000000000000000-mapping.dmp

Download
memory/780-69-0x000000000044CDCE-mapping.dmp

Download
memory/780-63-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/780-64-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/780-66-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/780-67-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/780-68-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/780-71-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/780-73-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1004-60-0x000000006FDE0000-0x000000007038B000-memory.dmp

Filesize
5.7MB

Download
memory/1004-58-0x0000000000000000-mapping.dmp

Download
memory/1008-75-0x0000000000000000-mapping.dmp

Download
memory/2004-76-0x0000000000000000-mapping.dmp

Download