agenttesla | a1a65c2b75d242d817c7766bab1d947e2841d22870258d23fb5a69eb04fbebb4

General

Target

Payment Advise.exe
Size

786KB
MD5

ddb15a4c31bd7e0e7cf3d7cac8232f5f
SHA1

761590b2db740edbe30bf3232998c258062b169a
SHA256

fde52c018e73c2ac8a5f52796e06d7f35f9cfb197665d0ddb3dc6729c93cccb8
SHA512

d2d5110df0ee93aa294237abaea8e654dc9d620d6e6540366de87888dcba91b1db532c9c2417c42f6d137744cc7a1418167e9997f4a4c03e94c590d3d79a999c
SSDEEP

12288:IVmNAcv9ul/Z63ovN9LOfMe/xoKCT6Gx9QzjSCGmZJbxpDF+B7hC8Jf1:smNzV4KoT2c62CG

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
chinedu2@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment Advise.exe

description pid process target process

PID 1180 set thread context of 1292 1180 Payment Advise.exe Payment Advise.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1688 1292 WerFault.exe Payment Advise.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1460 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Payment Advise.exepowershell.exe

pid process

1292 Payment Advise.exe
1292 Payment Advise.exe
772 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Payment Advise.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1292 Payment Advise.exe
Token: SeDebugPrivilege 772 powershell.exe

description	pid	process	target process
PID 1180 set thread context of 1292	1180	Payment Advise.exe	Payment Advise.exe

pid	pid_target	process	target process
1688	1292	WerFault.exe	Payment Advise.exe

pid	process
1460	schtasks.exe

pid	process
1292	Payment Advise.exe
1292	Payment Advise.exe
772	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1292	Payment Advise.exe
Token: SeDebugPrivilege	772	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Payment Advise.exePayment Advise.exe

description	pid	process	target process
PID 1180 wrote to memory of 772	1180	Payment Advise.exe	powershell.exe
PID 1180 wrote to memory of 772	1180	Payment Advise.exe	powershell.exe
PID 1180 wrote to memory of 772	1180	Payment Advise.exe	powershell.exe
PID 1180 wrote to memory of 772	1180	Payment Advise.exe	powershell.exe
PID 1180 wrote to memory of 1460	1180	Payment Advise.exe	schtasks.exe
PID 1180 wrote to memory of 1460	1180	Payment Advise.exe	schtasks.exe
PID 1180 wrote to memory of 1460	1180	Payment Advise.exe	schtasks.exe
PID 1180 wrote to memory of 1460	1180	Payment Advise.exe	schtasks.exe
PID 1180 wrote to memory of 1292	1180	Payment Advise.exe	Payment Advise.exe
PID 1180 wrote to memory of 1292	1180	Payment Advise.exe	Payment Advise.exe
PID 1180 wrote to memory of 1292	1180	Payment Advise.exe	Payment Advise.exe
PID 1180 wrote to memory of 1292	1180	Payment Advise.exe	Payment Advise.exe
PID 1180 wrote to memory of 1292	1180	Payment Advise.exe	Payment Advise.exe
PID 1180 wrote to memory of 1292	1180	Payment Advise.exe	Payment Advise.exe
PID 1180 wrote to memory of 1292	1180	Payment Advise.exe	Payment Advise.exe
PID 1180 wrote to memory of 1292	1180	Payment Advise.exe	Payment Advise.exe
PID 1180 wrote to memory of 1292	1180	Payment Advise.exe	Payment Advise.exe
PID 1292 wrote to memory of 1688	1292	Payment Advise.exe	WerFault.exe
PID 1292 wrote to memory of 1688	1292	Payment Advise.exe	WerFault.exe
PID 1292 wrote to memory of 1688	1292	Payment Advise.exe	WerFault.exe
PID 1292 wrote to memory of 1688	1292	Payment Advise.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Payment Advise.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advise.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KlAOZajcWjJ.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KlAOZajcWjJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D6D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1460
- C:\Users\Admin\AppData\Local\Temp\Payment Advise.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment Advise.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 624
    3⤵
    - Program crash
    PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5D6D.tmp

Filesize
1KB

MD5
5dc02c74482d0bbba10acc87700ff75d

SHA1
b6653d51ae1f719f4130872656993ec128adcc8d

SHA256
23470ba29e76f2232a270a523cd4d8a97ab5ba1b952073e8ba6526c942215035

SHA512
644ffdba9c8eb0e4b32bc53ceb1bbfa2e82986ce5d3956b6633049d2efc5af75b0b42a5cc05e6ff2e3db570bd9084b91fe195a294aaed5150707a62b023fe18e

Download Submit
memory/772-59-0x0000000000000000-mapping.dmp

Download
memory/772-78-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/772-77-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/1180-54-0x0000000000A50000-0x0000000000B1A000-memory.dmp

Filesize
808KB

Download
memory/1180-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1180-56-0x00000000005F0000-0x0000000000608000-memory.dmp

Filesize
96KB

Download
memory/1180-57-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/1180-58-0x0000000004940000-0x00000000049B0000-memory.dmp

Filesize
448KB

Download
memory/1180-63-0x00000000021A0000-0x00000000021D8000-memory.dmp

Filesize
224KB

Download
memory/1292-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-70-0x000000000043263E-mapping.dmp

Download
memory/1292-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1460-60-0x0000000000000000-mapping.dmp

Download
memory/1688-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads