agenttesla | cde4e54eecb8d93a3bf01b328a33b998ef032becee8b0e375225cbce85c4a548

Analysis

max time kernel
40s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2023 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YUSVPayment.exe
Size

841KB
MD5

c9586b5ef698248e11c6fc904ccd1e6d
SHA1

3b2246ad338738d2d1dba1cbc7a751091149d338
SHA256

cde4e54eecb8d93a3bf01b328a33b998ef032becee8b0e375225cbce85c4a548
SHA512

114c617845d7061047db47893357e96703d70f576b4cd6d3c9822e94537a6efe8cea56babb22dae0181a0238b7595a49226780113810ad992a4bf1d2da38a2c9
SSDEEP

24576:3MPBrU7n0K+4iAVilgobPwXGYfpBhtD/:S1Ug54xQlJc2Y3

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
zqamcx.com
Port:
587
Username:
[email protected]
Password:
Methodman991
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

YUSVPayment.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Control Panel\International\Geo\Nation	YUSVPayment.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2664 schtasks.exe

pid	process
2664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

YUSVPayment.exe

pid	process
5072	YUSVPayment.exe
5072	YUSVPayment.exe
5072	YUSVPayment.exe
5072	YUSVPayment.exe
5072	YUSVPayment.exe
5072	YUSVPayment.exe
5072	YUSVPayment.exe
5072	YUSVPayment.exe
5072	YUSVPayment.exe
5072	YUSVPayment.exe
5072	YUSVPayment.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

YUSVPayment.exe

description pid process

Token: SeDebugPrivilege 5072 YUSVPayment.exe

description	pid	process
Token: SeDebugPrivilege	5072	YUSVPayment.exe

C:\Users\Admin\AppData\Local\Temp\YUSVPayment.exe
"C:\Users\Admin\AppData\Local\Temp\YUSVPayment.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\smltCUtWNLO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFFDC.tmp"
2⤵
- Creates scheduled task(s)
PID:2664

C:\Users\Admin\AppData\Local\Temp\YUSVPayment.exe
"C:\Users\Admin\AppData\Local\Temp\YUSVPayment.exe"
2⤵
PID:2816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\smltCUtWNLO.exe"
2⤵
PID:2232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\YUSVPayment.exe"
2⤵
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
68760c476180677a261333940384d36f

SHA1
275e16e185818c80a9efbd8b96f33ae33c6f9601

SHA256
a6f2e64be81da6585fbb66607a05be7477047344cec3b5f1fa8615b38fdb43da

SHA512
b27dce7a32926419ede1ca22bae1b28378a661efbe2c63720dc2d4c9ed9864404f9988cbc3c51398d716c14128629d378b61b9a4784db3e71df3ece7c276fb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vjoecstf.yew.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFFDC.tmp

Filesize
1KB

MD5
e47c8c1587bea8cc7e713659d14ca6bd

SHA1
27005c2e20dfff24f55458d89dd95296c2e2ccf1

SHA256
b678b7515435522f7dfb5fa44ad28a20b935db9a1856c48ca48c5207207ab59a

SHA512
4c7517d8166313bf1f57545ff8b76dc5a5a7a7e3cdc42e12ee4040a63c7d0ee9ff4efcb934ade769cb1d54c12175bb1c04437ced90c6bdecdb4b314d93087a93

Download Submit
memory/2232-83-0x0000000007CC0000-0x0000000007D56000-memory.dmp

Filesize
600KB

Download
memory/2232-80-0x0000000008090000-0x000000000870A000-memory.dmp

Filesize
6.5MB

Download
memory/2232-29-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/2232-25-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/2232-24-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/2232-96-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/2232-89-0x0000000007D60000-0x0000000007D68000-memory.dmp

Filesize
32KB

Download
memory/2232-55-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/2232-84-0x0000000007C40000-0x0000000007C51000-memory.dmp

Filesize
68KB

Download
memory/2232-69-0x0000000006D30000-0x0000000006D4E000-memory.dmp

Filesize
120KB

Download
memory/2232-79-0x0000000007730000-0x00000000077D3000-memory.dmp

Filesize
652KB

Download
memory/2232-58-0x0000000075660000-0x00000000756AC000-memory.dmp

Filesize
304KB

Download
memory/2816-32-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2816-85-0x00000000062D0000-0x0000000006320000-memory.dmp

Filesize
320KB

Download
memory/2816-97-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/2816-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2816-31-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/2816-98-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/3480-81-0x00000000077F0000-0x000000000780A000-memory.dmp

Filesize
104KB

Download
memory/3480-56-0x000000007F950000-0x000000007F960000-memory.dmp

Filesize
64KB

Download
memory/3480-52-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/3480-28-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/3480-27-0x00000000054F0000-0x0000000005512000-memory.dmp

Filesize
136KB

Download
memory/3480-19-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/3480-95-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/3480-88-0x0000000007B30000-0x0000000007B4A000-memory.dmp

Filesize
104KB

Download
memory/3480-87-0x0000000007A30000-0x0000000007A44000-memory.dmp

Filesize
80KB

Download
memory/3480-53-0x0000000006580000-0x00000000065CC000-memory.dmp

Filesize
304KB

Download
memory/3480-54-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3480-20-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3480-57-0x00000000074A0000-0x00000000074D2000-memory.dmp

Filesize
200KB

Download
memory/3480-22-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/3480-59-0x0000000075660000-0x00000000756AC000-memory.dmp

Filesize
304KB

Download
memory/3480-21-0x0000000005670000-0x0000000005C98000-memory.dmp

Filesize
6.2MB

Download
memory/3480-18-0x0000000004EF0000-0x0000000004F26000-memory.dmp

Filesize
216KB

Download
memory/3480-86-0x0000000007A20000-0x0000000007A2E000-memory.dmp

Filesize
56KB

Download
memory/3480-82-0x0000000007860000-0x000000000786A000-memory.dmp

Filesize
40KB

Download
memory/5072-7-0x0000000005210000-0x000000000522A000-memory.dmp

Filesize
104KB

Download
memory/5072-10-0x000000000C0E0000-0x000000000C15C000-memory.dmp

Filesize
496KB

Download
memory/5072-0-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/5072-12-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/5072-11-0x000000000F7F0000-0x000000000F88C000-memory.dmp

Filesize
624KB

Download
memory/5072-38-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/5072-5-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/5072-8-0x0000000005340000-0x0000000005348000-memory.dmp

Filesize
32KB

Download
memory/5072-13-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/5072-2-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/5072-1-0x00000000003B0000-0x0000000000488000-memory.dmp

Filesize
864KB

Download
memory/5072-9-0x00000000064E0000-0x00000000064EA000-memory.dmp

Filesize
40KB

Download
memory/5072-4-0x0000000005980000-0x0000000005CD4000-memory.dmp

Filesize
3.3MB

Download
memory/5072-3-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/5072-6-0x0000000005120000-0x000000000512A000-memory.dmp

Filesize
40KB

Download