agenttesla | 28fa65d2b186492e5f1108e2bfa0b6babef6e12ae1dcfba019ee7065ee703caf

General

Target

190223-01PY - COSMOS.exe
Size

792KB
MD5

c0c2ac3ac3b8a7af9f31aae937ea750c
SHA1

ebf17014c15dfcab53f9a81edeb6f942c7efcbc4
SHA256

28fa65d2b186492e5f1108e2bfa0b6babef6e12ae1dcfba019ee7065ee703caf
SHA512

0f6ca77a7d02bfa5d6caf488a9a77bca3db0fed58bd35520c908d7ea1d9e682cab32733b6e65787ac7ba8aa2aba3afe8bebf82af618b24eff87bc1776d954e93

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
surelylogs2@yandex.ru
Password:
uzoma1989

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1120-9-0x0000000000C00000-0x0000000000C37000-memory.dmp	family_agenttesla

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1160 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

190223-01PY - COSMOS.exe

pid process

1120 190223-01PY - COSMOS.exe
1120 190223-01PY - COSMOS.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

190223-01PY - COSMOS.exe

description pid process

Token: SeDebugPrivilege 1120 190223-01PY - COSMOS.exe

pid	process
1160	schtasks.exe

pid	process
1120	190223-01PY - COSMOS.exe
1120	190223-01PY - COSMOS.exe

description	pid	process
Token: SeDebugPrivilege	1120	190223-01PY - COSMOS.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

190223-01PY - COSMOS.exe

description	pid	process	target process
PID 1120 wrote to memory of 1160	1120	190223-01PY - COSMOS.exe	schtasks.exe
PID 1120 wrote to memory of 1160	1120	190223-01PY - COSMOS.exe	schtasks.exe
PID 1120 wrote to memory of 1160	1120	190223-01PY - COSMOS.exe	schtasks.exe
PID 1120 wrote to memory of 1160	1120	190223-01PY - COSMOS.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\190223-01PY - COSMOS.exe
"C:\Users\Admin\AppData\Local\Temp\190223-01PY - COSMOS.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SYeQIKtqXCFG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp"
2⤵
- Creates scheduled task(s)
PID:1160

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp
MD5
211a7eca25d21257d0316cb8c671377c

SHA1
790ba41ee212d237a7f408d63923a1efcc9e9303

SHA256
25c363b3c8d90e9891c06fafc7d3ae0fb47b9ac856a9b6cb7223069614be3c13

SHA512
1f9624a3017bca032b12b4404054097d8ce522b660275e4305e583a7d8587e340f7bc2e11747839273f863a15e0635c6712b2ddfb9af395e83548ca365e1a351

Download Submit
memory/1120-2-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/1120-3-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/1120-5-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/1120-6-0x0000000005340000-0x00000000053B5000-memory.dmp

Filesize
468KB

Download
memory/1120-9-0x0000000000C00000-0x0000000000C37000-memory.dmp

Filesize
220KB

Download
memory/1160-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads