agenttesla | 391085720087ca47539076781ecfb5e4027f3c89bb19097b0c3d9e599cc6b6cd

General

Target

payment status.exe
Size

840KB
MD5

aa2bbdd4f76e86b8a34746c29602982e
SHA1

65afd6aa0bf71c64cbaa3076dee472d696dd5566
SHA256

391085720087ca47539076781ecfb5e4027f3c89bb19097b0c3d9e599cc6b6cd
SHA512

c6888740e55c03ab9c494cc0a9e0d7271ecc009393274f332566090c0932ec5848349b803ced84c5f1bdb3a873b739c4b2058971552f195e2c9d5d850fe9135f
SSDEEP

12288:S3f5A6IOwgTt0Pkua0p0lZXRYQlBTPNPqt99EUU5kLQTYCS51fn7dyx:YTaslk0l1RYmFqt95dsMCS5l7Mx

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
Kene123456789
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

payment status.exe

description pid process target process

PID 1940 set thread context of 2548 1940 payment status.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2652 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exeRegSvcs.exe

pid process

2776 powershell.exe
2764 powershell.exe
2548 RegSvcs.exe
2548 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 2776 powershell.exe
Token: SeDebugPrivilege 2764 powershell.exe
Token: SeDebugPrivilege 2548 RegSvcs.exe

description	pid	process	target process
PID 1940 set thread context of 2548	1940	payment status.exe	RegSvcs.exe

pid	process
2652	schtasks.exe

pid	process
2776	powershell.exe
2764	powershell.exe
2548	RegSvcs.exe
2548	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2548	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

payment status.exe

description	pid	process	target process
PID 1940 wrote to memory of 2764	1940	payment status.exe	powershell.exe
PID 1940 wrote to memory of 2764	1940	payment status.exe	powershell.exe
PID 1940 wrote to memory of 2764	1940	payment status.exe	powershell.exe
PID 1940 wrote to memory of 2764	1940	payment status.exe	powershell.exe
PID 1940 wrote to memory of 2776	1940	payment status.exe	powershell.exe
PID 1940 wrote to memory of 2776	1940	payment status.exe	powershell.exe
PID 1940 wrote to memory of 2776	1940	payment status.exe	powershell.exe
PID 1940 wrote to memory of 2776	1940	payment status.exe	powershell.exe
PID 1940 wrote to memory of 2652	1940	payment status.exe	schtasks.exe
PID 1940 wrote to memory of 2652	1940	payment status.exe	schtasks.exe
PID 1940 wrote to memory of 2652	1940	payment status.exe	schtasks.exe
PID 1940 wrote to memory of 2652	1940	payment status.exe	schtasks.exe
PID 1940 wrote to memory of 2548	1940	payment status.exe	RegSvcs.exe
PID 1940 wrote to memory of 2548	1940	payment status.exe	RegSvcs.exe
PID 1940 wrote to memory of 2548	1940	payment status.exe	RegSvcs.exe
PID 1940 wrote to memory of 2548	1940	payment status.exe	RegSvcs.exe
PID 1940 wrote to memory of 2548	1940	payment status.exe	RegSvcs.exe
PID 1940 wrote to memory of 2548	1940	payment status.exe	RegSvcs.exe
PID 1940 wrote to memory of 2548	1940	payment status.exe	RegSvcs.exe
PID 1940 wrote to memory of 2548	1940	payment status.exe	RegSvcs.exe
PID 1940 wrote to memory of 2548	1940	payment status.exe	RegSvcs.exe
PID 1940 wrote to memory of 2548	1940	payment status.exe	RegSvcs.exe
PID 1940 wrote to memory of 2548	1940	payment status.exe	RegSvcs.exe
PID 1940 wrote to memory of 2548	1940	payment status.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\payment status.exe
"C:\Users\Admin\AppData\Local\Temp\payment status.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment status.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZPYGuWlgLiAnJ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZPYGuWlgLiAnJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpADDC.tmp"
2⤵
- Creates scheduled task(s)
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpADDC.tmp

Filesize
1KB

MD5
d44126ff35532d06f927cb7c8d58656d

SHA1
dc876937f2f846ab8395f3b30a54f95193243d45

SHA256
67a606b3b177b87935c9c54856b536218fbdbe92ee652abd90b9cc0ba6e9192d

SHA512
0fc7ef53e0a163d761deb874010a92cc634d8799c90e2e8449ef7862ff8740401e5ce2673a5f2ec883feab399493ef4180d2934deab87072df1dd0aeb1ac1be9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KPSWAAT1OD051XN358TF.temp

Filesize
7KB

MD5
0ebe921f40d5c2ffe6fa90d7e7d0eb9f

SHA1
744768592ae521f63b2df131268068ecd18d6c87

SHA256
9bb0875f38f8768a1b56b794cb4003db06fb90648cdd3eca98466a40d6bf9a90

SHA512
27ac7f499c7aecda07ad020fed19921a027a057b345afa6e9a860f6938006b70ebc6fc27efee899c85f734e9047739fc2d37710497f046ea96cb86bb5ebfbe51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0ebe921f40d5c2ffe6fa90d7e7d0eb9f

SHA1
744768592ae521f63b2df131268068ecd18d6c87

SHA256
9bb0875f38f8768a1b56b794cb4003db06fb90648cdd3eca98466a40d6bf9a90

SHA512
27ac7f499c7aecda07ad020fed19921a027a057b345afa6e9a860f6938006b70ebc6fc27efee899c85f734e9047739fc2d37710497f046ea96cb86bb5ebfbe51

Download Submit
memory/1940-3-0x0000000000290000-0x00000000002A6000-memory.dmp

Filesize
88KB

Download
memory/1940-4-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/1940-5-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/1940-6-0x0000000005440000-0x00000000054BC000-memory.dmp

Filesize
496KB

Download
memory/1940-7-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/1940-8-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/1940-0-0x0000000000920000-0x00000000009F8000-memory.dmp

Filesize
864KB

Download
memory/1940-2-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/1940-1-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/1940-35-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-48-0x0000000072F60000-0x000000007364E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2548-45-0x0000000072F60000-0x000000007364E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2764-40-0x000000006EE70000-0x000000006F41B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-33-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/2764-42-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/2764-44-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/2764-29-0x000000006EE70000-0x000000006F41B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-47-0x000000006EE70000-0x000000006F41B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-37-0x0000000002380000-0x00000000023C0000-memory.dmp

Filesize
256KB

Download
memory/2776-41-0x000000006EE70000-0x000000006F41B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-43-0x0000000002380000-0x00000000023C0000-memory.dmp

Filesize
256KB

Download
memory/2776-46-0x000000006EE70000-0x000000006F41B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-23-0x000000006EE70000-0x000000006F41B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads