agenttesla | a7f482ac5e2ae2fb33ade7e265de448153742b59a6855ef681e5088a8558e7b8

General

Target

SOMTAS RFQ 00453729353484925.exe
Size

1.6MB
MD5

ac27827db2f048220b677c7f11aba859
SHA1

2d72fd5f8de1ea92d18365795b2a4e24f9306e8c
SHA256

a7f482ac5e2ae2fb33ade7e265de448153742b59a6855ef681e5088a8558e7b8
SHA512

ec58cd7b6e837a71dec1d99499e5e0465aa68f61480dfacb9391269534760787f58223f1acc289c10fee92efcf599567420e32759a5c39c1319d659d8306dda2

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
blaqlogs@yandex.ru
Password:
ugoblaq007

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
blaqlogs@yandex.ru
Password:
ugoblaq007

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3216-16-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral2/memory/3216-17-0x000000000044A78E-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

SOMTAS RFQ 00453729353484925.exe

description pid process target process

PID 4060 set thread context of 3216 4060 SOMTAS RFQ 00453729353484925.exe SOMTAS RFQ 00453729353484925.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1172 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SOMTAS RFQ 00453729353484925.exe

pid process

3216 SOMTAS RFQ 00453729353484925.exe
3216 SOMTAS RFQ 00453729353484925.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SOMTAS RFQ 00453729353484925.exe

description pid process

Token: SeDebugPrivilege 3216 SOMTAS RFQ 00453729353484925.exe

description	pid	process	target process
PID 4060 set thread context of 3216	4060	SOMTAS RFQ 00453729353484925.exe	SOMTAS RFQ 00453729353484925.exe

pid	process
1172	schtasks.exe

pid	process
3216	SOMTAS RFQ 00453729353484925.exe
3216	SOMTAS RFQ 00453729353484925.exe

description	pid	process
Token: SeDebugPrivilege	3216	SOMTAS RFQ 00453729353484925.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

SOMTAS RFQ 00453729353484925.exe

description	pid	process	target process
PID 4060 wrote to memory of 1172	4060	SOMTAS RFQ 00453729353484925.exe	schtasks.exe
PID 4060 wrote to memory of 1172	4060	SOMTAS RFQ 00453729353484925.exe	schtasks.exe
PID 4060 wrote to memory of 1172	4060	SOMTAS RFQ 00453729353484925.exe	schtasks.exe
PID 4060 wrote to memory of 3216	4060	SOMTAS RFQ 00453729353484925.exe	SOMTAS RFQ 00453729353484925.exe
PID 4060 wrote to memory of 3216	4060	SOMTAS RFQ 00453729353484925.exe	SOMTAS RFQ 00453729353484925.exe
PID 4060 wrote to memory of 3216	4060	SOMTAS RFQ 00453729353484925.exe	SOMTAS RFQ 00453729353484925.exe
PID 4060 wrote to memory of 3216	4060	SOMTAS RFQ 00453729353484925.exe	SOMTAS RFQ 00453729353484925.exe
PID 4060 wrote to memory of 3216	4060	SOMTAS RFQ 00453729353484925.exe	SOMTAS RFQ 00453729353484925.exe
PID 4060 wrote to memory of 3216	4060	SOMTAS RFQ 00453729353484925.exe	SOMTAS RFQ 00453729353484925.exe
PID 4060 wrote to memory of 3216	4060	SOMTAS RFQ 00453729353484925.exe	SOMTAS RFQ 00453729353484925.exe
PID 4060 wrote to memory of 3216	4060	SOMTAS RFQ 00453729353484925.exe	SOMTAS RFQ 00453729353484925.exe

C:\Users\Admin\AppData\Local\Temp\SOMTAS RFQ 00453729353484925.exe
"C:\Users\Admin\AppData\Local\Temp\SOMTAS RFQ 00453729353484925.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSaokGGQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB8A.tmp"
2⤵
- Creates scheduled task(s)
PID:1172

C:\Users\Admin\AppData\Local\Temp\SOMTAS RFQ 00453729353484925.exe
"C:\Users\Admin\AppData\Local\Temp\SOMTAS RFQ 00453729353484925.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOMTAS RFQ 00453729353484925.exe.log
MD5
65f1f0c7993639f9f9e1d524224a2c93

SHA1
5b51a6a56f3041dbc2d3f510252bbe68ffbbc59c

SHA256
e582e80a644a998d1b2958bdcb0cd1e899076befa7c5e868d033b3fe75a2ca93

SHA512
3e8953968bbc31f3105a0df28b95edfb4cee8af78ec527d47707b82e3d5fc2aa725fca574de3c963da53614e60d282408b21d075eed007be25679e9458bf1c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB8A.tmp
MD5
84b6d31843a1d95315033e71508e7153

SHA1
55034d0f449fc931183bc459d8b35e9b37b45b02

SHA256
fd467519ce879c49191980d7c39dda65b559ece0f4b7e6e1933d45b4eef6c423

SHA512
3cca24d8a8a9be50693f68825a2dbaaee93ae4faad29f499e4d143a19c06ff5d264e07a4b7d882a91bb68e548ba0cf1ff54b266c9023acdb755aa6ef761439fa

Download Submit
memory/1172-14-0x0000000000000000-mapping.dmp

Download
memory/3216-29-0x0000000005A61000-0x0000000005A62000-memory.dmp

Filesize
4KB

Download
memory/3216-26-0x0000000005FB0000-0x0000000005FB1000-memory.dmp

Filesize
4KB

Download
memory/3216-25-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/3216-24-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/3216-19-0x00000000733D0000-0x0000000073ABE000-memory.dmp

Filesize
6.9MB

Download
memory/3216-17-0x000000000044A78E-mapping.dmp

Download
memory/3216-16-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4060-8-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/4060-13-0x0000000000D90000-0x0000000000E57000-memory.dmp

Filesize
796KB

Download
memory/4060-12-0x0000000004A10000-0x0000000004A23000-memory.dmp

Filesize
76KB

Download
memory/4060-11-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/4060-10-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/4060-9-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/4060-2-0x00000000733D0000-0x0000000073ABE000-memory.dmp

Filesize
6.9MB

Download
memory/4060-7-0x00000000075A0000-0x00000000075A1000-memory.dmp

Filesize
4KB

Download
memory/4060-6-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/4060-5-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/4060-3-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads