agenttesla | c213685d3005fbac05b0cd6b11a077f57cc4d50fcb762c7cab8a81ae7dec2043

General

Target

Purchase Order_Pdf.exe
Size

1.1MB
MD5

24ab440ba14af239092dc2f4c04a4aed
SHA1

4f060fb538c3f5fba0b7e8e95bfc5c3f620ea190
SHA256

c213685d3005fbac05b0cd6b11a077f57cc4d50fcb762c7cab8a81ae7dec2043
SHA512

2d3ba4ced486d9de70598f9934e20951fe7e4e056d8f50a9ed4c6f947e169885efe9f7c9b24d2dcff345ba0b7b33ca47ee11defdade776dd22514aba22d8a10b

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.impressindia.net
Port:
587
Username:
office-z9@impressindia.net
Password:
+EmoBNGlt2M,

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1676-9-0x0000000004960000-0x0000000004996000-memory.dmp	family_agenttesla

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1704 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Purchase Order_Pdf.exe

pid process

1676 Purchase Order_Pdf.exe
1676 Purchase Order_Pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Purchase Order_Pdf.exe

description pid process

Token: SeDebugPrivilege 1676 Purchase Order_Pdf.exe

pid	process
1704	schtasks.exe

pid	process
1676	Purchase Order_Pdf.exe
1676	Purchase Order_Pdf.exe

description	pid	process
Token: SeDebugPrivilege	1676	Purchase Order_Pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Purchase Order_Pdf.exe

description	pid	process	target process
PID 1676 wrote to memory of 1704	1676	Purchase Order_Pdf.exe	schtasks.exe
PID 1676 wrote to memory of 1704	1676	Purchase Order_Pdf.exe	schtasks.exe
PID 1676 wrote to memory of 1704	1676	Purchase Order_Pdf.exe	schtasks.exe
PID 1676 wrote to memory of 1704	1676	Purchase Order_Pdf.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order_Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order_Pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gspeFYive" /XML "C:\Users\Admin\AppData\Local\Temp\tmp650A.tmp"
2⤵
- Creates scheduled task(s)
PID:1704

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp650A.tmp
MD5
7f89d092522243a4369d45f067ca630f

SHA1
218e0a8790837fbb0f142317589594be2fdef484

SHA256
ad3c805e283873a23dc988a8551fe74353545e8add2a3e819abaf7a8c1fb31fe

SHA512
289d4baa80b80eb7839839a3e3d7225df092f80aeab01281e9ffbd98d01bb67bca28ac0c98cb31628e78f77ad4538fa9b56f9e12f5ee97f37c47207ba209f957

Download Submit
memory/1676-2-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1676-3-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/1676-5-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/1676-6-0x00000000003A0000-0x000000000042F000-memory.dmp

Filesize
572KB

Download
memory/1676-9-0x0000000004960000-0x0000000004996000-memory.dmp

Filesize
216KB

Download
memory/1704-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads