agenttesla | 7f10ebe191fcf2f28b9a9a67eaa0c4869d2a8ed62e1ed062e1a67b781fa78c66

General

Target

Total Invoice.exe
Size

949KB
MD5

a94578e1a694ba09dc9ed5dc7df60fcc
SHA1

8ea85a39e4e456e79db46abfe00f9be73c8e254e
SHA256

b06ef71a820a829fc010a3bc33b6c630282b94d831e25f972b7173f0783b76c9
SHA512

ab3277ca5e074100cc9323234ee257816261154bcd6da3b00c56a83b0f0923575649ec9c3272e5ac8da6bd4ae08f6757d7cd15147a15963d144b99be92a30565
SSDEEP

24576:8+17qWKvIj9RR5BGNn5BZj6ZNaJ312Zw471:t5AvIj9VB+j6naJl2iK1

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.unitechautomations.com
Port:
587
Username:
design@unitechautomations.com
Password:
Unitech@123
Email To:
overseas1@vestalshipping.com.vn

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUIVTme = "C:\\Users\\Admin\\AppData\\Roaming\\GUIVTme\\GUIVTme.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Total Invoice.exe

description pid process target process

PID 1636 set thread context of 2368 1636 Total Invoice.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2504 schtasks.exe

description	pid	process	target process
PID 1636 set thread context of 2368	1636	Total Invoice.exe	RegSvcs.exe

pid	process
2504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Total Invoice.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
1636	Total Invoice.exe
1636	Total Invoice.exe
1636	Total Invoice.exe
1636	Total Invoice.exe
2984	powershell.exe
2648	powershell.exe
1636	Total Invoice.exe
2368	RegSvcs.exe
2368	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Total Invoice.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1636	Total Invoice.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2368	RegSvcs.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

Total Invoice.exe

description	pid	process	target process
PID 1636 wrote to memory of 2648	1636	Total Invoice.exe	powershell.exe
PID 1636 wrote to memory of 2648	1636	Total Invoice.exe	powershell.exe
PID 1636 wrote to memory of 2648	1636	Total Invoice.exe	powershell.exe
PID 1636 wrote to memory of 2648	1636	Total Invoice.exe	powershell.exe
PID 1636 wrote to memory of 2984	1636	Total Invoice.exe	powershell.exe
PID 1636 wrote to memory of 2984	1636	Total Invoice.exe	powershell.exe
PID 1636 wrote to memory of 2984	1636	Total Invoice.exe	powershell.exe
PID 1636 wrote to memory of 2984	1636	Total Invoice.exe	powershell.exe
PID 1636 wrote to memory of 2504	1636	Total Invoice.exe	schtasks.exe
PID 1636 wrote to memory of 2504	1636	Total Invoice.exe	schtasks.exe
PID 1636 wrote to memory of 2504	1636	Total Invoice.exe	schtasks.exe
PID 1636 wrote to memory of 2504	1636	Total Invoice.exe	schtasks.exe
PID 1636 wrote to memory of 2544	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2544	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2544	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2544	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2544	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2544	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2544	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2368	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2368	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2368	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2368	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2368	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2368	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2368	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2368	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2368	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2368	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2368	1636	Total Invoice.exe	RegSvcs.exe
PID 1636 wrote to memory of 2368	1636	Total Invoice.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Total Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Total Invoice.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Total Invoice.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XblPOAvPsrUQv.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XblPOAvPsrUQv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp46C0.tmp"
2⤵
- Creates scheduled task(s)
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp46C0.tmp
Filesize
1KB

MD5
fd7ee514c5bdeff0a9423945ce2f4d35

SHA1
dbc0131b86313aa8f3ad9775810453e3a900abad

SHA256
6b1170957a2db7b370d344d7fb481a72544b8ee221b3c57c6db62c7bf6fdbf76

SHA512
a89439906589ea2173f41e7f6e2b60590a728ddf6c41ee790a1e672de5ce1789a5defe618b5e2c5c2a330d2d7bb7caad61fdf1d8e9c688127a99b48e86b3d2e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y8O7HG4ZWD23O5CC0NUL.temp
Filesize
7KB

MD5
6419d198d423391dae38c2499e81d5d4

SHA1
47eaa6f45adbdad91f0480f78210a1237824b56e

SHA256
b4bf1b1c6c5df49c6433123ff0e49cf15e2bce6a6b63a4b22019768add63b46c

SHA512
067f54096fea34d3dcd852c3e50810c175258481d0a26a42b6dba156da96faf1f86f19dcd8f91e902919684cdeac5e9baa44ef95c3dd3a5b675ac21be23170d2

Download Submit
memory/1636-1-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/1636-0-0x0000000000FD0000-0x00000000010C4000-memory.dmp

Filesize
976KB

Download
memory/1636-2-0x0000000000F60000-0x0000000000FA0000-memory.dmp

Filesize
256KB

Download
memory/1636-3-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download
memory/1636-4-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/1636-5-0x0000000000440000-0x00000000004C2000-memory.dmp

Filesize
520KB

Download
memory/1636-38-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2368-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2368-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2368-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2368-46-0x00000000047A0000-0x00000000047E0000-memory.dmp

Filesize
256KB

Download
memory/2368-45-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2368-41-0x00000000047A0000-0x00000000047E0000-memory.dmp

Filesize
256KB

Download
memory/2368-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2368-40-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2368-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2368-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2368-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2368-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2648-27-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-33-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2648-21-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-43-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-25-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2984-31-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/2984-19-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/2984-29-0x00000000028C0000-0x0000000002900000-memory.dmp

Filesize
256KB

Download
memory/2984-42-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/2984-23-0x00000000028C0000-0x0000000002900000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads