agenttesla | da7f00e9042a254deafda735ffb54a8c03b4d3af45bc297d1dd412f7840cb77f

General

Target

INQUIRY_pdf__.exe
Size

525KB
MD5

15e91b66fb88390b9833cf3a79cab0ca
SHA1

e370b599b7e53bf35890e2e2f7e7b1a7e978ce86
SHA256

da7f00e9042a254deafda735ffb54a8c03b4d3af45bc297d1dd412f7840cb77f
SHA512

d5e5e63c7897506d80608ffff0571897b899d3964e19c51f8762412d04201a67b72a179bc11e6afb3c940a241dd42505ea9e074a947055b27aa6a4bd3704553e

Score

10^/10

Credentials

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

resource	yara_rule
behavioral2/memory/3780-2-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral2/memory/3780-3-0x0000000000446EAE-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3100 set thread context of 3780	3100	INQUIRY_pdf__.exe	73

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
3012	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
1564	REG.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	INQUIRY_pdf__.exe
Token: SeDebugPrivilege	3780	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3012	3100	INQUIRY_pdf__.exe	69
PID 3100 wrote to memory of 3012	3100	INQUIRY_pdf__.exe	69
PID 3100 wrote to memory of 3012	3100	INQUIRY_pdf__.exe	69
PID 3100 wrote to memory of 2268	3100	INQUIRY_pdf__.exe	71
PID 3100 wrote to memory of 2268	3100	INQUIRY_pdf__.exe	71
PID 3100 wrote to memory of 2268	3100	INQUIRY_pdf__.exe	71
PID 3100 wrote to memory of 3768	3100	INQUIRY_pdf__.exe	72
PID 3100 wrote to memory of 3768	3100	INQUIRY_pdf__.exe	72
PID 3100 wrote to memory of 3768	3100	INQUIRY_pdf__.exe	72
PID 3100 wrote to memory of 3780	3100	INQUIRY_pdf__.exe	73
PID 3100 wrote to memory of 3780	3100	INQUIRY_pdf__.exe	73
PID 3100 wrote to memory of 3780	3100	INQUIRY_pdf__.exe	73
PID 3100 wrote to memory of 3780	3100	INQUIRY_pdf__.exe	73
PID 3100 wrote to memory of 3780	3100	INQUIRY_pdf__.exe	73
PID 3100 wrote to memory of 3780	3100	INQUIRY_pdf__.exe	73
PID 3100 wrote to memory of 3780	3100	INQUIRY_pdf__.exe	73
PID 3100 wrote to memory of 3780	3100	INQUIRY_pdf__.exe	73
PID 3780 wrote to memory of 1564	3780	RegSvcs.exe	79
PID 3780 wrote to memory of 1564	3780	RegSvcs.exe	79
PID 3780 wrote to memory of 1564	3780	RegSvcs.exe	79

C:\Users\Admin\AppData\Local\Temp\INQUIRY_pdf__.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY_pdf__.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YBuNhmDhcB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCED.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "{path}"
  2⤵
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "{path}"
  2⤵
  PID:3768
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / v NoRun / t REG_DWORD / d 1 / f
    3⤵
    - Modifies registry key
    PID:1564