agenttesla | 19aad89e62883b8ead9db879fd1203dd51a2eeee41d0748a81c7b31c6237babd

General

Target

PAYMENT ADVISE_0004.exe
Size

841KB
MD5

c57e9585bbe179e45833e8b896c73e29
SHA1

1c0aa52a527f919f0e575e00dcb7023c553f9d5c
SHA256

0a87339cba74896d097ec10a18315d66dc3f98121ba968ff571a29e241646b60
SHA512

15b2b749010b6da998063d24aa75a38b0fdda79c523f99b2ff1cc074f64d6551b5854a09adf44df434e4ede55e7562535650e54445bb94096620e10360575263
SSDEEP

12288:F/hXvkIY0GZa/4y1v8Vdv+UF9Co2dLi78dkLgxlkg586aWHffauQOQWM6x5BbWIb:8B03giZUFZ2dLg/gxlB5O8f4b

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://discord.com/api/webhooks/1046885137620668476/tqKDZZWFXo6nvWfx10p4wfxf1QI6_dSmYl-LLQGbb4vhhmp9HT4sLvTVg0kj1SgRTQGZ

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PAYMENT ADVISE_0004.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	PAYMENT ADVISE_0004.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PAYMENT ADVISE_0004.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OapnhE = "C:\\Users\\Admin\\AppData\\Roaming\\OapnhE\\OapnhE.exe"	PAYMENT ADVISE_0004.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

92 api.ipify.org
93 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

PAYMENT ADVISE_0004.exe

description pid process target process

PID 608 set thread context of 4420 608 PAYMENT ADVISE_0004.exe PAYMENT ADVISE_0004.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4856 schtasks.exe

flow	ioc
92	api.ipify.org
93	api.ipify.org

description	pid	process	target process
PID 608 set thread context of 4420	608	PAYMENT ADVISE_0004.exe	PAYMENT ADVISE_0004.exe

pid	process
4856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

PAYMENT ADVISE_0004.exepowershell.exePAYMENT ADVISE_0004.exe

pid	process
608	PAYMENT ADVISE_0004.exe
608	PAYMENT ADVISE_0004.exe
4748	powershell.exe
4420	PAYMENT ADVISE_0004.exe
4420	PAYMENT ADVISE_0004.exe
4748	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

PAYMENT ADVISE_0004.exe

pid process

4420 PAYMENT ADVISE_0004.exe

pid	process
4420	PAYMENT ADVISE_0004.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PAYMENT ADVISE_0004.exepowershell.exePAYMENT ADVISE_0004.exe

description	pid	process
Token: SeDebugPrivilege	608	PAYMENT ADVISE_0004.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	4420	PAYMENT ADVISE_0004.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

PAYMENT ADVISE_0004.exe

description	pid	process	target process
PID 608 wrote to memory of 4748	608	PAYMENT ADVISE_0004.exe	powershell.exe
PID 608 wrote to memory of 4748	608	PAYMENT ADVISE_0004.exe	powershell.exe
PID 608 wrote to memory of 4748	608	PAYMENT ADVISE_0004.exe	powershell.exe
PID 608 wrote to memory of 4856	608	PAYMENT ADVISE_0004.exe	schtasks.exe
PID 608 wrote to memory of 4856	608	PAYMENT ADVISE_0004.exe	schtasks.exe
PID 608 wrote to memory of 4856	608	PAYMENT ADVISE_0004.exe	schtasks.exe
PID 608 wrote to memory of 1004	608	PAYMENT ADVISE_0004.exe	PAYMENT ADVISE_0004.exe
PID 608 wrote to memory of 1004	608	PAYMENT ADVISE_0004.exe	PAYMENT ADVISE_0004.exe
PID 608 wrote to memory of 1004	608	PAYMENT ADVISE_0004.exe	PAYMENT ADVISE_0004.exe
PID 608 wrote to memory of 4420	608	PAYMENT ADVISE_0004.exe	PAYMENT ADVISE_0004.exe
PID 608 wrote to memory of 4420	608	PAYMENT ADVISE_0004.exe	PAYMENT ADVISE_0004.exe
PID 608 wrote to memory of 4420	608	PAYMENT ADVISE_0004.exe	PAYMENT ADVISE_0004.exe
PID 608 wrote to memory of 4420	608	PAYMENT ADVISE_0004.exe	PAYMENT ADVISE_0004.exe
PID 608 wrote to memory of 4420	608	PAYMENT ADVISE_0004.exe	PAYMENT ADVISE_0004.exe
PID 608 wrote to memory of 4420	608	PAYMENT ADVISE_0004.exe	PAYMENT ADVISE_0004.exe
PID 608 wrote to memory of 4420	608	PAYMENT ADVISE_0004.exe	PAYMENT ADVISE_0004.exe
PID 608 wrote to memory of 4420	608	PAYMENT ADVISE_0004.exe	PAYMENT ADVISE_0004.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVISE_0004.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVISE_0004.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dpVDkY.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dpVDkY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD2FF.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVISE_0004.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVISE_0004.exe"
  2⤵
  PID:1004
- C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVISE_0004.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVISE_0004.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  PID:4420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT ADVISE_0004.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD2FF.tmp

Filesize
1KB

MD5
fb178493b91df4137a390baa73ab02d8

SHA1
74a1f049ffe1890b9273ca7c5e55458f44bbee92

SHA256
4b98be1a75d63502d6397ce92d4c2c9a017fc5fdc78ca52557fc36e60e81a9f4

SHA512
f0069d5fa62484c5a79ad20ea835e9be163d456422e1d7f32c7e95957975d4da0c16b2b9f171d97a8dabda410181b2bb08e49100374d27d7e479ea8054cb87e4

Download Submit
memory/608-133-0x0000000008160000-0x0000000008704000-memory.dmp

Filesize
5.6MB

Download
memory/608-134-0x0000000007C90000-0x0000000007D22000-memory.dmp

Filesize
584KB

Download
memory/608-135-0x0000000007C80000-0x0000000007C8A000-memory.dmp

Filesize
40KB

Download
memory/608-136-0x000000000A2F0000-0x000000000A38C000-memory.dmp

Filesize
624KB

Download
memory/608-132-0x0000000000D30000-0x0000000000E08000-memory.dmp

Filesize
864KB

Download
memory/1004-141-0x0000000000000000-mapping.dmp

Download
memory/4420-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4420-142-0x0000000000000000-mapping.dmp

Download
memory/4748-150-0x0000000006A20000-0x0000000006A52000-memory.dmp

Filesize
200KB

Download
memory/4748-149-0x00000000064D0000-0x00000000064EE000-memory.dmp

Filesize
120KB

Download
memory/4748-139-0x0000000004E80000-0x0000000004EB6000-memory.dmp

Filesize
216KB

Download
memory/4748-156-0x0000000007A00000-0x0000000007A96000-memory.dmp

Filesize
600KB

Download
memory/4748-146-0x00000000054B0000-0x00000000054D2000-memory.dmp

Filesize
136KB

Download
memory/4748-147-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/4748-148-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/4748-143-0x00000000055D0000-0x0000000005BF8000-memory.dmp

Filesize
6.2MB

Download
memory/4748-137-0x0000000000000000-mapping.dmp

Download
memory/4748-151-0x0000000070700000-0x000000007074C000-memory.dmp

Filesize
304KB

Download
memory/4748-152-0x0000000006A60000-0x0000000006A7E000-memory.dmp

Filesize
120KB

Download
memory/4748-153-0x0000000007DB0000-0x000000000842A000-memory.dmp

Filesize
6.5MB

Download
memory/4748-154-0x0000000005300000-0x000000000531A000-memory.dmp

Filesize
104KB

Download
memory/4748-155-0x00000000077D0000-0x00000000077DA000-memory.dmp

Filesize
40KB

Download
memory/4856-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads