agenttesla | d43c6aba8577d6f6e846545d25587748ff13e676320936f4c3104ba94e22e24c

General

Target

catalogue.exe
Size

515KB
MD5

1c098e2524570249e1aa01afe50f3dde
SHA1

f130b0404f94fb4ddfdd918b58734dc73d3e814f
SHA256

d43c6aba8577d6f6e846545d25587748ff13e676320936f4c3104ba94e22e24c
SHA512

b67b7f19b4dd15179720a82f2f62ce6a709b3adad7299afc86eff1cf8f00ebb660d710c8cf6b8d3bd7ef4653c41a4447e11e60cce817056494dffc9ee055ba91

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
admin@cairoways.me
Password:
requestShow@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/308-5-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral2/memory/308-6-0x000000000044C8CE-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

catalogue.exe

description pid process target process

PID 592 set thread context of 308 592 catalogue.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3404 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

308 RegSvcs.exe
308 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

catalogue.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 592 catalogue.exe
Token: SeDebugPrivilege 308 RegSvcs.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

catalogue.exeRegSvcs.exe

pid process

592 catalogue.exe
592 catalogue.exe
308 RegSvcs.exe

description	pid	process	target process
PID 592 set thread context of 308	592	catalogue.exe	RegSvcs.exe

pid	process
3404	schtasks.exe

pid	process
308	RegSvcs.exe
308	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	592	catalogue.exe
Token: SeDebugPrivilege	308	RegSvcs.exe

pid	process
592	catalogue.exe
592	catalogue.exe
308	RegSvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

catalogue.exeRegSvcs.exe

description	pid	process	target process
PID 592 wrote to memory of 3404	592	catalogue.exe	schtasks.exe
PID 592 wrote to memory of 3404	592	catalogue.exe	schtasks.exe
PID 592 wrote to memory of 3404	592	catalogue.exe	schtasks.exe
PID 592 wrote to memory of 308	592	catalogue.exe	RegSvcs.exe
PID 592 wrote to memory of 308	592	catalogue.exe	RegSvcs.exe
PID 592 wrote to memory of 308	592	catalogue.exe	RegSvcs.exe
PID 592 wrote to memory of 308	592	catalogue.exe	RegSvcs.exe
PID 592 wrote to memory of 308	592	catalogue.exe	RegSvcs.exe
PID 592 wrote to memory of 308	592	catalogue.exe	RegSvcs.exe
PID 592 wrote to memory of 308	592	catalogue.exe	RegSvcs.exe
PID 592 wrote to memory of 308	592	catalogue.exe	RegSvcs.exe
PID 308 wrote to memory of 2164	308	RegSvcs.exe	netsh.exe
PID 308 wrote to memory of 2164	308	RegSvcs.exe	netsh.exe
PID 308 wrote to memory of 2164	308	RegSvcs.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\catalogue.exe
"C:\Users\Admin\AppData\Local\Temp\catalogue.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jZUqGdZLb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB28.tmp"
2⤵
- Creates scheduled task(s)
PID:3404

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:2164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBB28.tmp
MD5
339cbb32f0100c13367271bcc73d4ddd

SHA1
7d02788af676c7cfc7fffdc8e0aec5445a999aa6

SHA256
e775dc77e760b597ebc283fca92ac69d5422c7953debbe3e314b90b8eabd649f

SHA512
f8e1c3cb4cf8aafcf6294acf9c20c618d5ef8a02fcc45a27ee24e3887cfbe7829042c05d446fdab5c304beba0227e74fbcacd27fc981600d3d5f9c89853bc2af

Download Submit
memory/308-5-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/308-6-0x000000000044C8CE-mapping.dmp

Download
memory/2164-7-0x0000000000000000-mapping.dmp

Download
memory/3404-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads