agenttesla | ca85116a906c89b87336c43bbc9efe21b5428997fac2ba12031eb093e69e573c

General

Target

PAYMENT SLIP.exe
Size

804KB
MD5

97ce41c6381ec5f889820c88becb7181
SHA1

4097bbf4d592b268c65f41f3136becd1d14a990b
SHA256

cf6d236b07b02bcded4e19c6bb1ce31df4993c2961fb8544a9337969e44eff9c
SHA512

4a86c31f4bcc0c9b84a89a30339d0344f3680fbaeb2159761237a3fc8c1b17715869b34abe7cc5295c3c050bdc730e1660202ee5c5062e324101fdeec940af64
SSDEEP

12288:Ex+OSUAh3NVDi2iNa7xdvo/MdyrhFgtDsuBHsSj5J4+saBGgOZi9useDkmSqZYAU:U1U9BqmycgiH75BSi9nIYADWzMQYHy

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
sarahfoils.com
Port:
587
Username:
[email protected]
Password:
Scalatica01
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PAYMENT SLIP.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PAYMENT SLIP.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PAYMENT SLIP.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 436	1624	PAYMENT SLIP.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1624	PAYMENT SLIP.exe
1624	PAYMENT SLIP.exe
1624	PAYMENT SLIP.exe
1624	PAYMENT SLIP.exe
300	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	PAYMENT SLIP.exe
Token: SeDebugPrivilege	436	PAYMENT SLIP.exe
Token: SeDebugPrivilege	300	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 300	1624	PAYMENT SLIP.exe	26
PID 1624 wrote to memory of 300	1624	PAYMENT SLIP.exe	26
PID 1624 wrote to memory of 300	1624	PAYMENT SLIP.exe	26
PID 1624 wrote to memory of 300	1624	PAYMENT SLIP.exe	26
PID 1624 wrote to memory of 1384	1624	PAYMENT SLIP.exe	28
PID 1624 wrote to memory of 1384	1624	PAYMENT SLIP.exe	28
PID 1624 wrote to memory of 1384	1624	PAYMENT SLIP.exe	28
PID 1624 wrote to memory of 1384	1624	PAYMENT SLIP.exe	28
PID 1624 wrote to memory of 436	1624	PAYMENT SLIP.exe	30
PID 1624 wrote to memory of 436	1624	PAYMENT SLIP.exe	30
PID 1624 wrote to memory of 436	1624	PAYMENT SLIP.exe	30
PID 1624 wrote to memory of 436	1624	PAYMENT SLIP.exe	30
PID 1624 wrote to memory of 436	1624	PAYMENT SLIP.exe	30
PID 1624 wrote to memory of 436	1624	PAYMENT SLIP.exe	30
PID 1624 wrote to memory of 436	1624	PAYMENT SLIP.exe	30
PID 1624 wrote to memory of 436	1624	PAYMENT SLIP.exe	30
PID 1624 wrote to memory of 436	1624	PAYMENT SLIP.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PAYMENT SLIP.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PAYMENT SLIP.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KQLQDrZEa.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:300
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KQLQDrZEa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1384
- C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp

Filesize
1KB

MD5
315b2929a1536290d6c22acf0aba0046

SHA1
553576472e68070c7f91d9c31ba3e1ad52c63cc8

SHA256
aa4f0f141bed5bacce9798129798e64f8aa83a809858d2d2dbb7c0b6dcfc0e7f

SHA512
bb8bd801e4151dd8e8e12650bd0a68e2d6630a21ddac2ef92a3398b2be99aab3abaa8f86271997b35dd3a4b68076563cb81bf6f7dbd40285fba3bc0a0c970fd1

Download Submit
memory/300-78-0x0000000002080000-0x00000000020C0000-memory.dmp

Filesize
256KB

Download
memory/436-70-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/436-72-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/436-79-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/436-77-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/436-74-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/436-65-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/436-67-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/436-66-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/436-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/436-68-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1624-64-0x0000000004760000-0x0000000004794000-memory.dmp

Filesize
208KB

Download
memory/1624-54-0x0000000000A70000-0x0000000000B40000-memory.dmp

Filesize
832KB

Download
memory/1624-57-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/1624-56-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/1624-55-0x0000000004D40000-0x0000000004D80000-memory.dmp

Filesize
256KB

Download
memory/1624-58-0x0000000005360000-0x00000000053CC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads