agenttesla | 5b7c7d4bf17521dddc7ee1accfee37d1b50e89f634e7c67439ae92dcef4c32e3

General

Target

4600031748.exe
Size

1.1MB
MD5

201b4d62ac730c8aa790d6958fd36def
SHA1

f47fb5d4ca3a442f7f8f442e47e1297d2304da69
SHA256

5b7c7d4bf17521dddc7ee1accfee37d1b50e89f634e7c67439ae92dcef4c32e3
SHA512

f2857f1ea47c58a5571f17e2c78bed6bf67b5580d81a2892f676304206d17ebf216c0823d5ab99cf34726ada1e0c43b899b92f4de61a0762be6c5e712bdcf429

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.chestronic.com
Port:
587
Username:
sales2@chestronic.com
Password:
8$@oJ?OGP~ge

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1388-9-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1388-10-0x000000000043760E-mapping.dmp	family_agenttesla
behavioral1/memory/1388-11-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1388-12-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

4600031748.exe

description pid process target process

PID 728 set thread context of 1388 728 4600031748.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1260 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

4600031748.exeRegSvcs.exe

pid process

728 4600031748.exe
728 4600031748.exe
728 4600031748.exe
1388 RegSvcs.exe
1388 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4600031748.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 728 4600031748.exe
Token: SeDebugPrivilege 1388 RegSvcs.exe

description	pid	process	target process
PID 728 set thread context of 1388	728	4600031748.exe	RegSvcs.exe

pid	process
1260	schtasks.exe

pid	process
728	4600031748.exe
728	4600031748.exe
728	4600031748.exe
1388	RegSvcs.exe
1388	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	728	4600031748.exe
Token: SeDebugPrivilege	1388	RegSvcs.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

4600031748.exe

description	pid	process	target process
PID 728 wrote to memory of 1260	728	4600031748.exe	schtasks.exe
PID 728 wrote to memory of 1260	728	4600031748.exe	schtasks.exe
PID 728 wrote to memory of 1260	728	4600031748.exe	schtasks.exe
PID 728 wrote to memory of 1260	728	4600031748.exe	schtasks.exe
PID 728 wrote to memory of 1312	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1312	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1312	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1312	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1312	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1312	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1312	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1388	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1388	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1388	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1388	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1388	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1388	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1388	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1388	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1388	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1388	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1388	728	4600031748.exe	RegSvcs.exe
PID 728 wrote to memory of 1388	728	4600031748.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\4600031748.exe
"C:\Users\Admin\AppData\Local\Temp\4600031748.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NtvQlyWoHaEIYi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4BA0.tmp"
2⤵
- Creates scheduled task(s)
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4BA0.tmp
MD5
1b2743f16f11dde1b06d629d081c6374

SHA1
127434a6a4906e51c7b9aac69705a0b6000583e6

SHA256
ae73ea59054b859ffa041731fcd315d1cbd35f30532e5630847916513d34c206

SHA512
5a190307c5e8053cda58ffb37106a871d7fe62b4fbda75e046b6aaba049d52fd0372d0f1b40d3fdae237ff4abd2bbb1ec0b5ad4ee59e5065c33e3ff7d59a278c

Download Submit
memory/728-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/728-3-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/728-5-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/728-6-0x00000000050D0000-0x0000000005143000-memory.dmp

Filesize
460KB

Download
memory/1260-7-0x0000000000000000-mapping.dmp

Download
memory/1388-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1388-10-0x000000000043760E-mapping.dmp

Download
memory/1388-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1388-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1388-13-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads