agenttesla | dfa098b2094107457d9bbe4511620001c72842c5c0240a3ab58989d5ebb49c97

General

Target

doc07486620200116112353 pdf..exe
Size

582KB
MD5

3c6eef45d23c93f32edaa81f6b7c8c54
SHA1

fcdfb605f8241f8dd1142f1c197ba56c4489dd38
SHA256

dfa098b2094107457d9bbe4511620001c72842c5c0240a3ab58989d5ebb49c97
SHA512

588c7bb8355963a4979d8ddf2e9aab07bd046e3a8b99db0d60e918e4d6d0d6f66c46a204c770e87e88feb6c420705cc6fdb6fbc6e053c7d68fa8c7b6c589ae32

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.aquariuslogistics.com
Port:
587
Username:
ajay@aquariuslogistics.com
Password:
AQL@2019#$

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1592-11-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral1/memory/1592-12-0x000000000044833E-mapping.dmp	family_agenttesla
behavioral1/memory/1592-13-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral1/memory/1592-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla

Drops file in Drivers directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

doc07486620200116112353 pdf..exeRegSvcs.exe

description	pid	process	target process
PID 1496 set thread context of 864	1496	doc07486620200116112353 pdf..exe	RegSvcs.exe
PID 864 set thread context of 1592	864	RegSvcs.exe	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1644 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

1252 REG.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

1592 RegSvcs.exe
1592 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1592 RegSvcs.exe

pid	process
1644	schtasks.exe

pid	process
1252	REG.exe

pid	process
1592	RegSvcs.exe
1592	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1592	RegSvcs.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

doc07486620200116112353 pdf..exeRegSvcs.exeRegSvcs.exe

description	pid	process	target process
PID 1496 wrote to memory of 864	1496	doc07486620200116112353 pdf..exe	RegSvcs.exe
PID 1496 wrote to memory of 864	1496	doc07486620200116112353 pdf..exe	RegSvcs.exe
PID 1496 wrote to memory of 864	1496	doc07486620200116112353 pdf..exe	RegSvcs.exe
PID 1496 wrote to memory of 864	1496	doc07486620200116112353 pdf..exe	RegSvcs.exe
PID 1496 wrote to memory of 864	1496	doc07486620200116112353 pdf..exe	RegSvcs.exe
PID 1496 wrote to memory of 864	1496	doc07486620200116112353 pdf..exe	RegSvcs.exe
PID 1496 wrote to memory of 864	1496	doc07486620200116112353 pdf..exe	RegSvcs.exe
PID 1496 wrote to memory of 864	1496	doc07486620200116112353 pdf..exe	RegSvcs.exe
PID 1496 wrote to memory of 864	1496	doc07486620200116112353 pdf..exe	RegSvcs.exe
PID 1496 wrote to memory of 864	1496	doc07486620200116112353 pdf..exe	RegSvcs.exe
PID 1496 wrote to memory of 864	1496	doc07486620200116112353 pdf..exe	RegSvcs.exe
PID 1496 wrote to memory of 864	1496	doc07486620200116112353 pdf..exe	RegSvcs.exe
PID 864 wrote to memory of 1644	864	RegSvcs.exe	schtasks.exe
PID 864 wrote to memory of 1644	864	RegSvcs.exe	schtasks.exe
PID 864 wrote to memory of 1644	864	RegSvcs.exe	schtasks.exe
PID 864 wrote to memory of 1644	864	RegSvcs.exe	schtasks.exe
PID 864 wrote to memory of 1592	864	RegSvcs.exe	RegSvcs.exe
PID 864 wrote to memory of 1592	864	RegSvcs.exe	RegSvcs.exe
PID 864 wrote to memory of 1592	864	RegSvcs.exe	RegSvcs.exe
PID 864 wrote to memory of 1592	864	RegSvcs.exe	RegSvcs.exe
PID 864 wrote to memory of 1592	864	RegSvcs.exe	RegSvcs.exe
PID 864 wrote to memory of 1592	864	RegSvcs.exe	RegSvcs.exe
PID 864 wrote to memory of 1592	864	RegSvcs.exe	RegSvcs.exe
PID 864 wrote to memory of 1592	864	RegSvcs.exe	RegSvcs.exe
PID 864 wrote to memory of 1592	864	RegSvcs.exe	RegSvcs.exe
PID 864 wrote to memory of 1592	864	RegSvcs.exe	RegSvcs.exe
PID 864 wrote to memory of 1592	864	RegSvcs.exe	RegSvcs.exe
PID 864 wrote to memory of 1592	864	RegSvcs.exe	RegSvcs.exe
PID 1592 wrote to memory of 1252	1592	RegSvcs.exe	REG.exe
PID 1592 wrote to memory of 1252	1592	RegSvcs.exe	REG.exe
PID 1592 wrote to memory of 1252	1592	RegSvcs.exe	REG.exe
PID 1592 wrote to memory of 1252	1592	RegSvcs.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\doc07486620200116112353 pdf..exe
"C:\Users\Admin\AppData\Local\Temp\doc07486620200116112353 pdf..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ULIpyruwsyj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4B13.tmp"
3⤵
- Creates scheduled task(s)
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f
4⤵
- Modifies registry key
PID:1252

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4B13.tmp
MD5
4995db95d2402f7b367dd7b7ab6226e5

SHA1
c4756fa5fdc4cfa8fa4840e759290736a9109578

SHA256
00c35e83abb46ef395ba4bbd3204a70d7d3bf86e21dfdf07e8b9913cb885e793

SHA512
b16a299677390aa007590838cbe3109d6ee537a9fd80bd6091955911601f27d70f2b1995cc300257d2463405a1b1b2eae0e801a7e437bfbe625cf96d33463606

Download Submit
memory/864-2-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/864-3-0x000000000046A296-mapping.dmp

Download
memory/864-4-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/864-5-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1252-15-0x0000000000000000-mapping.dmp

Download
memory/1496-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1592-11-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1592-12-0x000000000044833E-mapping.dmp

Download
memory/1592-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1592-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1644-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads