agenttesla | 92d887eebd56236c7b64d7c4df54d34b63910982eddf27769b942d524c39a4a3

General

Target

REVISED PROFORMA INVOICE.exe
Size

1.5MB
MD5

ea2c4b1f17a5113a551ec7779d30bc2e
SHA1

e89f81052d5f40fd759deb1f1fd3bc0a2a3c7c37
SHA256

92d887eebd56236c7b64d7c4df54d34b63910982eddf27769b942d524c39a4a3
SHA512

ebdcf6da3caa104a095f36d59579743ad6c771dd2cda9eba4e6d23c7d00026e8c065919535dd1bb24000d5cbe6d9fe9b5159ac867fbff29bd2c5d4fb795eb81e

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.goldenamoonresorts.com
Port:
587
Username:
[email protected]
Password:
golden@123

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.goldenamoonresorts.com
Port:
587
Username:
[email protected]
Password:
golden@123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3448-6-0x0000000000400000-0x0000000000466000-memory.dmp	family_agenttesla
behavioral2/memory/3448-7-0x00000000004610FE-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

REVISED PROFORMA INVOICE.exe

description pid process target process

PID 880 set thread context of 3448 880 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

940 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

REVISED PROFORMA INVOICE.exeREVISED PROFORMA INVOICE.exe

pid process

880 REVISED PROFORMA INVOICE.exe
3448 REVISED PROFORMA INVOICE.exe
3448 REVISED PROFORMA INVOICE.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

REVISED PROFORMA INVOICE.exeREVISED PROFORMA INVOICE.exe

description pid process

Token: SeDebugPrivilege 880 REVISED PROFORMA INVOICE.exe
Token: SeDebugPrivilege 3448 REVISED PROFORMA INVOICE.exe

description	pid	process	target process
PID 880 set thread context of 3448	880	REVISED PROFORMA INVOICE.exe	REVISED PROFORMA INVOICE.exe

pid	process
940	schtasks.exe

pid	process
880	REVISED PROFORMA INVOICE.exe
3448	REVISED PROFORMA INVOICE.exe
3448	REVISED PROFORMA INVOICE.exe

description	pid	process
Token: SeDebugPrivilege	880	REVISED PROFORMA INVOICE.exe
Token: SeDebugPrivilege	3448	REVISED PROFORMA INVOICE.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

REVISED PROFORMA INVOICE.exe

description	pid	process	target process
PID 880 wrote to memory of 940	880	REVISED PROFORMA INVOICE.exe	schtasks.exe
PID 880 wrote to memory of 940	880	REVISED PROFORMA INVOICE.exe	schtasks.exe
PID 880 wrote to memory of 940	880	REVISED PROFORMA INVOICE.exe	schtasks.exe
PID 880 wrote to memory of 3448	880	REVISED PROFORMA INVOICE.exe	REVISED PROFORMA INVOICE.exe
PID 880 wrote to memory of 3448	880	REVISED PROFORMA INVOICE.exe	REVISED PROFORMA INVOICE.exe
PID 880 wrote to memory of 3448	880	REVISED PROFORMA INVOICE.exe	REVISED PROFORMA INVOICE.exe
PID 880 wrote to memory of 3448	880	REVISED PROFORMA INVOICE.exe	REVISED PROFORMA INVOICE.exe
PID 880 wrote to memory of 3448	880	REVISED PROFORMA INVOICE.exe	REVISED PROFORMA INVOICE.exe
PID 880 wrote to memory of 3448	880	REVISED PROFORMA INVOICE.exe	REVISED PROFORMA INVOICE.exe
PID 880 wrote to memory of 3448	880	REVISED PROFORMA INVOICE.exe	REVISED PROFORMA INVOICE.exe
PID 880 wrote to memory of 3448	880	REVISED PROFORMA INVOICE.exe	REVISED PROFORMA INVOICE.exe

C:\Users\Admin\AppData\Local\Temp\REVISED PROFORMA INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\REVISED PROFORMA INVOICE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lUXcvyz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B0A.tmp"
2⤵
- Creates scheduled task(s)
PID:940

C:\Users\Admin\AppData\Local\Temp\REVISED PROFORMA INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\REVISED PROFORMA INVOICE.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\REVISED PROFORMA INVOICE.exe.log

MD5
568e6f2b186c39075772d775e4189f57

SHA1
02f642cfdd1491b1ce69e81925ed336975e2f972

SHA256
d29bbfbb510acd8716133feeade8f914076963ccc38abb4b5a64a8d32bac44e4

SHA512
ef3b7f6d6b355c41ca9abb40d769622ea3f79787d8d2501ad5a135fa5cc78712175190386c8e05ee863a3bc046bc09eee22310555d31e4d57a4652f280283156

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B0A.tmp

MD5
377dd102c53a09b6f08e393067601231

SHA1
d015dfa508c1be5642f880f0a4492013e3755c7f

SHA256
38a7e655cae7df50f1c372c7a004accb0c1d7a893f397eda3b9d59f6e8d1283e

SHA512
d46d8246396215c7cda7d3b74c3d62d477fff77e5ee742cdea24b779cad01f5f3c6dc8dc7d007dec10da1f269108433fb414c563fc39fe88bdc3258ff31a7ba3

Download Submit
memory/880-2-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/880-3-0x0000000000621000-0x0000000000622000-memory.dmp

Filesize
4KB

Download
memory/940-4-0x0000000000000000-mapping.dmp

Download
memory/3448-6-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3448-7-0x00000000004610FE-mapping.dmp

Download
memory/3448-9-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/3448-10-0x00000000027C1000-0x00000000027C2000-memory.dmp

Filesize
4KB

Download
memory/3448-11-0x00000000027C2000-0x00000000027C3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads