agenttesla | eda77a2a6a764257be0cc3de5d0d316cf149e28912804bda421607d6c8657f4a

General

Target

146938fb56dd1017e45b1483dff8e353.exe
Size

947KB
MD5

146938fb56dd1017e45b1483dff8e353
SHA1

7104dada4cff7cd2e1ac643877bca649b35e7aee
SHA256

eda77a2a6a764257be0cc3de5d0d316cf149e28912804bda421607d6c8657f4a
SHA512

32b0cfbc2673f8eb9079916ba82f07870cfb87195780b82f2cfd4b75670a9d44a5e7239a377c803bc75fe8171a18bc03ea85fe51129f16f0d6ff4991e4914201

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.godforeu.com
Port:
587
Username:
[email protected]
Password:
O8k#Pz4sk:w_

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1016-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1016-8-0x000000000043749E-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

146938fb56dd1017e45b1483dff8e353.exe

description pid process target process

PID 1108 set thread context of 1016 1108 146938fb56dd1017e45b1483dff8e353.exe 146938fb56dd1017e45b1483dff8e353.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1624 schtasks.exe

description	pid	process	target process
PID 1108 set thread context of 1016	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe

pid	process
1624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

146938fb56dd1017e45b1483dff8e353.exe146938fb56dd1017e45b1483dff8e353.exe

pid	process
1108	146938fb56dd1017e45b1483dff8e353.exe
1108	146938fb56dd1017e45b1483dff8e353.exe
1108	146938fb56dd1017e45b1483dff8e353.exe
1108	146938fb56dd1017e45b1483dff8e353.exe
1108	146938fb56dd1017e45b1483dff8e353.exe
1108	146938fb56dd1017e45b1483dff8e353.exe
1108	146938fb56dd1017e45b1483dff8e353.exe
1016	146938fb56dd1017e45b1483dff8e353.exe
1016	146938fb56dd1017e45b1483dff8e353.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

146938fb56dd1017e45b1483dff8e353.exe146938fb56dd1017e45b1483dff8e353.exe

description pid process

Token: SeDebugPrivilege 1108 146938fb56dd1017e45b1483dff8e353.exe
Token: SeDebugPrivilege 1016 146938fb56dd1017e45b1483dff8e353.exe

description	pid	process
Token: SeDebugPrivilege	1108	146938fb56dd1017e45b1483dff8e353.exe
Token: SeDebugPrivilege	1016	146938fb56dd1017e45b1483dff8e353.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

146938fb56dd1017e45b1483dff8e353.exe146938fb56dd1017e45b1483dff8e353.exe

C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe
"C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nwcdFkAETi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF863.tmp"
2⤵
- Creates scheduled task(s)
PID:1624

C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe
"C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe"
2⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe
"C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe"
2⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe
"C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe"
2⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe
"C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 520
3⤵
PID:932

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF863.tmp
MD5
4dbc5c3b281ec47452c2f20ac075111c

SHA1
100aef16e2091ddf317e3c2b161fe1858cee24a0

SHA256
5c9e3632d7c8955328525de89ee554bd15db6fd3443fce6a66cb67e8d41cb2a8

SHA512
6f824ae4f75cc46c15a62468948dc5c59ce3ec6d4782526463bf37011210c0b46f62c5775ab69fa0b69eb89cea0ede916bcebffc900f2a6379a74ca6e15296b8

Download Submit
memory/932-11-0x0000000000000000-mapping.dmp

Download
memory/932-12-0x0000000001F20000-0x0000000001F31000-memory.dmp

Filesize
68KB

Download
memory/932-14-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1016-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1016-8-0x000000000043749E-mapping.dmp

Download
memory/1016-10-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/1108-2-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1108-3-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1108-5-0x0000000000661000-0x0000000000662000-memory.dmp

Filesize
4KB

Download
memory/1624-4-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1108 wrote to memory of 1624	1108	146938fb56dd1017e45b1483dff8e353.exe	schtasks.exe
PID 1108 wrote to memory of 1624	1108	146938fb56dd1017e45b1483dff8e353.exe	schtasks.exe
PID 1108 wrote to memory of 1624	1108	146938fb56dd1017e45b1483dff8e353.exe	schtasks.exe
PID 1108 wrote to memory of 1624	1108	146938fb56dd1017e45b1483dff8e353.exe	schtasks.exe
PID 1108 wrote to memory of 1712	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 1712	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 1712	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 1712	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 792	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 792	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 792	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 792	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 440	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 440	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 440	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 440	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 1016	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 1016	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 1016	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 1016	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 1016	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 1016	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 1016	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 1016	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1108 wrote to memory of 1016	1108	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 1016 wrote to memory of 932	1016	146938fb56dd1017e45b1483dff8e353.exe	dw20.exe
PID 1016 wrote to memory of 932	1016	146938fb56dd1017e45b1483dff8e353.exe	dw20.exe
PID 1016 wrote to memory of 932	1016	146938fb56dd1017e45b1483dff8e353.exe	dw20.exe
PID 1016 wrote to memory of 932	1016	146938fb56dd1017e45b1483dff8e353.exe	dw20.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads