agenttesla | ec6a3f5f18f8043573bb5f88f3c6409755c03ed9cff4605b27adf8143c92dd76

Analysis

max time kernel
99s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Slip.exe
Size

560KB
MD5

d436adeaeda394dd9aae8361cb0b16f3
SHA1

49bcf22be48d8064ee369544873ba0546a48fcb1
SHA256

6426bb813f2c02db79c20887cdbb42bbb8a3c0f12b34369fe24150408eaf8f8b
SHA512

859d3795952f0e5a9fffb9ccecab1d30c4fac023b85a27d3cfca56b35a3627f56c96a2b99f4abdcc5226f2ab22da2a1f164cddd6bc6d21cd45a16282529bedb5

Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
homeboy12345

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
homeboy12345

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1456-155-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Drops file in Drivers directory 1 IoCs

Processes:

Payment Slip.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Payment Slip.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Payment Slip.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Payment Slip.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Payment Slip.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Payment Slip.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Payment Slip.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Payment Slip.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Payment Slip.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Payment Slip.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Payment Slip.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment Slip.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment Slip.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment Slip.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Payment Slip.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppData = "C:\\Users\\Admin\\AppData\\Roaming\\AppData\\AppData.exe"	Payment Slip.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Payment Slip.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Payment Slip.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Payment Slip.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment Slip.exe

description pid process target process

PID 3980 set thread context of 1456 3980 Payment Slip.exe Payment Slip.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

252 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

3668 REG.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exePayment Slip.exePayment Slip.exe

pid process

4788 powershell.exe
4788 powershell.exe
3980 Payment Slip.exe
1456 Payment Slip.exe
1456 Payment Slip.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Payment Slip.exe

pid process

1456 Payment Slip.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exePayment Slip.exePayment Slip.exe

description pid process

Token: SeDebugPrivilege 4788 powershell.exe
Token: SeDebugPrivilege 3980 Payment Slip.exe
Token: SeDebugPrivilege 1456 Payment Slip.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Payment Slip.exe

pid process

1456 Payment Slip.exe

description	pid	process	target process
PID 3980 set thread context of 1456	3980	Payment Slip.exe	Payment Slip.exe

pid	process
252	schtasks.exe

pid	process
3668	REG.exe

pid	process
4788	powershell.exe
4788	powershell.exe
3980	Payment Slip.exe
1456	Payment Slip.exe
1456	Payment Slip.exe

pid	process
1456	Payment Slip.exe

description	pid	process
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	3980	Payment Slip.exe
Token: SeDebugPrivilege	1456	Payment Slip.exe

pid	process
1456	Payment Slip.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Payment Slip.exePayment Slip.exe

description	pid	process	target process
PID 3980 wrote to memory of 4788	3980	Payment Slip.exe	powershell.exe
PID 3980 wrote to memory of 4788	3980	Payment Slip.exe	powershell.exe
PID 3980 wrote to memory of 4788	3980	Payment Slip.exe	powershell.exe
PID 3980 wrote to memory of 252	3980	Payment Slip.exe	schtasks.exe
PID 3980 wrote to memory of 252	3980	Payment Slip.exe	schtasks.exe
PID 3980 wrote to memory of 252	3980	Payment Slip.exe	schtasks.exe
PID 3980 wrote to memory of 1456	3980	Payment Slip.exe	Payment Slip.exe
PID 3980 wrote to memory of 1456	3980	Payment Slip.exe	Payment Slip.exe
PID 3980 wrote to memory of 1456	3980	Payment Slip.exe	Payment Slip.exe
PID 3980 wrote to memory of 1456	3980	Payment Slip.exe	Payment Slip.exe
PID 3980 wrote to memory of 1456	3980	Payment Slip.exe	Payment Slip.exe
PID 3980 wrote to memory of 1456	3980	Payment Slip.exe	Payment Slip.exe
PID 3980 wrote to memory of 1456	3980	Payment Slip.exe	Payment Slip.exe
PID 3980 wrote to memory of 1456	3980	Payment Slip.exe	Payment Slip.exe
PID 1456 wrote to memory of 3668	1456	Payment Slip.exe	REG.exe
PID 1456 wrote to memory of 3668	1456	Payment Slip.exe	REG.exe
PID 1456 wrote to memory of 3668	1456	Payment Slip.exe	REG.exe
PID 1456 wrote to memory of 4392	1456	Payment Slip.exe	netsh.exe
PID 1456 wrote to memory of 4392	1456	Payment Slip.exe	netsh.exe
PID 1456 wrote to memory of 4392	1456	Payment Slip.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

Payment Slip.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment Slip.exe

outlook_win_path 1 IoCs

Processes:

Payment Slip.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment Slip.exe

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gjIgVtzINQqI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF2A.tmp"
2⤵
- Creates scheduled task(s)
PID:252

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"{path}"
2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1456

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:3668

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Slip.exe.log

Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF2A.tmp

Filesize
1KB

MD5
89e7c5d1bfcdd5a0c60ec750de8cd52c

SHA1
74d91da95b44c4f19c573c687b54f969c4cb04a4

SHA256
bbdbe41f71c60503b59b87d89f0093f98c3d94268742dfac93cdf52d05808383

SHA512
46b9b093192a0f09f07a529e106120d591b3388ad7922fba7bfc75eee39e6730cb2d5553d2b8ba69f7488ccc0a54008ee114cc5397dd1795b58b66f759ae457f

Download Submit
memory/252-152-0x0000000000000000-mapping.dmp

Download
memory/1456-155-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1456-158-0x0000000006B10000-0x0000000006B60000-memory.dmp

Filesize
320KB

Download
memory/1456-154-0x0000000000000000-mapping.dmp

Download
memory/3668-157-0x0000000000000000-mapping.dmp

Download
memory/3980-134-0x0000000007380000-0x000000000741C000-memory.dmp

Filesize
624KB

Download
memory/3980-133-0x0000000004EE0000-0x0000000004EEA000-memory.dmp

Filesize
40KB

Download
memory/3980-130-0x0000000000490000-0x0000000000522000-memory.dmp

Filesize
584KB

Download
memory/3980-132-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/3980-131-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/4392-159-0x0000000000000000-mapping.dmp

Download
memory/4788-144-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/4788-142-0x00000000061A0000-0x00000000061D2000-memory.dmp

Filesize
200KB

Download
memory/4788-145-0x00000000074F0000-0x0000000007B6A000-memory.dmp

Filesize
6.5MB

Download
memory/4788-146-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

Filesize
104KB

Download
memory/4788-147-0x0000000006F20000-0x0000000006F2A000-memory.dmp

Filesize
40KB

Download
memory/4788-148-0x0000000007150000-0x00000000071E6000-memory.dmp

Filesize
600KB

Download
memory/4788-149-0x00000000070F0000-0x00000000070FE000-memory.dmp

Filesize
56KB

Download
memory/4788-150-0x0000000007210000-0x000000000722A000-memory.dmp

Filesize
104KB

Download
memory/4788-151-0x0000000007140000-0x0000000007148000-memory.dmp

Filesize
32KB

Download
memory/4788-143-0x0000000070130000-0x000000007017C000-memory.dmp

Filesize
304KB

Download
memory/4788-141-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

Filesize
120KB

Download
memory/4788-140-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/4788-139-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/4788-138-0x0000000004D00000-0x0000000004D22000-memory.dmp

Filesize
136KB

Download
memory/4788-137-0x0000000004DA0000-0x00000000053C8000-memory.dmp

Filesize
6.2MB

Download
memory/4788-136-0x00000000045F0000-0x0000000004626000-memory.dmp

Filesize
216KB

Download
memory/4788-135-0x0000000000000000-mapping.dmp

Download