agenttesla | d43c6aba8577d6f6e846545d25587748ff13e676320936f4c3104ba94e22e24c

General

Target

catalogue.exe
Size

515KB
MD5

1c098e2524570249e1aa01afe50f3dde
SHA1

f130b0404f94fb4ddfdd918b58734dc73d3e814f
SHA256

d43c6aba8577d6f6e846545d25587748ff13e676320936f4c3104ba94e22e24c
SHA512

b67b7f19b4dd15179720a82f2f62ce6a709b3adad7299afc86eff1cf8f00ebb660d710c8cf6b8d3bd7ef4653c41a4447e11e60cce817056494dffc9ee055ba91

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
admin@cairoways.me
Password:
requestShow@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/804-58-0x000000000044C8CE-mapping.dmp	family_agenttesla
behavioral1/memory/804-57-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/804-59-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/804-60-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

catalogue.exe

description pid process target process

PID 1924 set thread context of 804 1924 catalogue.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1956 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

804 RegSvcs.exe
804 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

catalogue.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1924 catalogue.exe
Token: SeDebugPrivilege 804 RegSvcs.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

catalogue.exeRegSvcs.exe

pid process

1924 catalogue.exe
1924 catalogue.exe
804 RegSvcs.exe

description	pid	process	target process
PID 1924 set thread context of 804	1924	catalogue.exe	RegSvcs.exe

pid	process
1956	schtasks.exe

pid	process
804	RegSvcs.exe
804	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1924	catalogue.exe
Token: SeDebugPrivilege	804	RegSvcs.exe

pid	process
1924	catalogue.exe
1924	catalogue.exe
804	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

catalogue.exeRegSvcs.exe

description	pid	process	target process
PID 1924 wrote to memory of 1956	1924	catalogue.exe	schtasks.exe
PID 1924 wrote to memory of 1956	1924	catalogue.exe	schtasks.exe
PID 1924 wrote to memory of 1956	1924	catalogue.exe	schtasks.exe
PID 1924 wrote to memory of 1956	1924	catalogue.exe	schtasks.exe
PID 1924 wrote to memory of 804	1924	catalogue.exe	RegSvcs.exe
PID 1924 wrote to memory of 804	1924	catalogue.exe	RegSvcs.exe
PID 1924 wrote to memory of 804	1924	catalogue.exe	RegSvcs.exe
PID 1924 wrote to memory of 804	1924	catalogue.exe	RegSvcs.exe
PID 1924 wrote to memory of 804	1924	catalogue.exe	RegSvcs.exe
PID 1924 wrote to memory of 804	1924	catalogue.exe	RegSvcs.exe
PID 1924 wrote to memory of 804	1924	catalogue.exe	RegSvcs.exe
PID 1924 wrote to memory of 804	1924	catalogue.exe	RegSvcs.exe
PID 1924 wrote to memory of 804	1924	catalogue.exe	RegSvcs.exe
PID 1924 wrote to memory of 804	1924	catalogue.exe	RegSvcs.exe
PID 1924 wrote to memory of 804	1924	catalogue.exe	RegSvcs.exe
PID 1924 wrote to memory of 804	1924	catalogue.exe	RegSvcs.exe
PID 804 wrote to memory of 1096	804	RegSvcs.exe	netsh.exe
PID 804 wrote to memory of 1096	804	RegSvcs.exe	netsh.exe
PID 804 wrote to memory of 1096	804	RegSvcs.exe	netsh.exe
PID 804 wrote to memory of 1096	804	RegSvcs.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\catalogue.exe
"C:\Users\Admin\AppData\Local\Temp\catalogue.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jZUqGdZLb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A54.tmp"
2⤵
- Creates scheduled task(s)
PID:1956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:1096

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1A54.tmp
MD5
c9c84f201aad3f7a6622300814a70cfe

SHA1
7eb2133169ad5204f6e6299f84d1730b9a5849b3

SHA256
4b9404cf707a09c98a8e7bcee88841a6359b7732a0b36cf2adc657dfdff78cef

SHA512
0d6d2cafe9178f806062269848a957da52a6029e879334b388ac80a763c3736cbbb562246b43c7f49bcfa0001d6c8bae968b572f5699045fbd34e045c6fc8255

Download Submit
memory/744-54-0x000007FEF6270000-0x000007FEF64EA000-memory.dmp

Filesize
2.5MB

Download
memory/804-58-0x000000000044C8CE-mapping.dmp

Download
memory/804-57-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/804-59-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/804-60-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1096-61-0x0000000000000000-mapping.dmp

Download
memory/1956-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads