agenttesla | faaa6cb489016f708b2b2ddd9dec8af64379858e1024cca2392b16f409e00386

General

Target

INVOICE #24560908.exe
Size

783KB
MD5

effa64d665cc881b80faefb053896c75
SHA1

314ae8a3bfbbae37b92ab9c1d4e72a2f3ba77959
SHA256

9d6b6913c2b8b1084f4177076c9c2b759ce8a903bc7baf1b1c0ef3bf5635c361
SHA512

8edb0d1298146e744847cc4efafcce3da52859b3beef6d8e3ca15049188abab93f1fb7c097cae4515d2faca29662d57fb7c3dbb5a9be8c9fadd89bdb38c15fc7
SSDEEP

24576:QivLGVB70aw1s/U97WopiNc9/LkInstI:+VB70aw1u8piN0/LMt

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.southernboilers.org
Port:
587
Username:
info@southernboilers.org
Password:
Sksmoke2018#
Email To:
obtxxxtf@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

INVOICE #24560908.exe

description pid process target process

PID 1640 set thread context of 1492 1640 INVOICE #24560908.exe INVOICE #24560908.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1068 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

INVOICE #24560908.exeINVOICE #24560908.exe

pid process

1640 INVOICE #24560908.exe
1492 INVOICE #24560908.exe
1492 INVOICE #24560908.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

INVOICE #24560908.exeINVOICE #24560908.exe

description pid process

Token: SeDebugPrivilege 1640 INVOICE #24560908.exe
Token: SeDebugPrivilege 1492 INVOICE #24560908.exe

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 1640 set thread context of 1492	1640	INVOICE #24560908.exe	INVOICE #24560908.exe

pid	process
1068	schtasks.exe

pid	process
1640	INVOICE #24560908.exe
1492	INVOICE #24560908.exe
1492	INVOICE #24560908.exe

description	pid	process
Token: SeDebugPrivilege	1640	INVOICE #24560908.exe
Token: SeDebugPrivilege	1492	INVOICE #24560908.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

INVOICE #24560908.exe

description	pid	process	target process
PID 1640 wrote to memory of 1068	1640	INVOICE #24560908.exe	schtasks.exe
PID 1640 wrote to memory of 1068	1640	INVOICE #24560908.exe	schtasks.exe
PID 1640 wrote to memory of 1068	1640	INVOICE #24560908.exe	schtasks.exe
PID 1640 wrote to memory of 1068	1640	INVOICE #24560908.exe	schtasks.exe
PID 1640 wrote to memory of 1492	1640	INVOICE #24560908.exe	INVOICE #24560908.exe
PID 1640 wrote to memory of 1492	1640	INVOICE #24560908.exe	INVOICE #24560908.exe
PID 1640 wrote to memory of 1492	1640	INVOICE #24560908.exe	INVOICE #24560908.exe
PID 1640 wrote to memory of 1492	1640	INVOICE #24560908.exe	INVOICE #24560908.exe
PID 1640 wrote to memory of 1492	1640	INVOICE #24560908.exe	INVOICE #24560908.exe
PID 1640 wrote to memory of 1492	1640	INVOICE #24560908.exe	INVOICE #24560908.exe
PID 1640 wrote to memory of 1492	1640	INVOICE #24560908.exe	INVOICE #24560908.exe
PID 1640 wrote to memory of 1492	1640	INVOICE #24560908.exe	INVOICE #24560908.exe
PID 1640 wrote to memory of 1492	1640	INVOICE #24560908.exe	INVOICE #24560908.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE #24560908.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE #24560908.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lzdouz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8547.tmp"
2⤵
- Creates scheduled task(s)
PID:1068

C:\Users\Admin\AppData\Local\Temp\INVOICE #24560908.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8547.tmp
Filesize
1KB

MD5
6f0cdfbe18fc1d8e73dc87cdbbd8c69e

SHA1
7b725041fac6a098e364691d2fc02e565269b1af

SHA256
a1e7d5a691b03e0e407d15d4ab21d148ba90eeb52bd41a565588a7c5b79a385e

SHA512
90d116bad8b1acb8ab619fa3990f3a8314609ee639c662324d89dbd68663da2be33b6bec8e410da3ec1a6ede8c94672954a6b5fd266a1b62cafcfecc2850b0bd

Download Submit
memory/1068-59-0x0000000000000000-mapping.dmp

Download
memory/1492-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1492-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1492-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1492-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1492-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1492-67-0x0000000000437B8E-mapping.dmp

Download
memory/1492-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1492-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1640-57-0x00000000048C0000-0x0000000004944000-memory.dmp

Filesize
528KB

Download
memory/1640-58-0x0000000004E30000-0x0000000004E6C000-memory.dmp

Filesize
240KB

Download
memory/1640-56-0x0000000000220000-0x0000000000232000-memory.dmp

Filesize
72KB

Download
memory/1640-55-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download
memory/1640-54-0x0000000000880000-0x000000000094A000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads