agenttesla | 6cae7d1c457d915e347d1f75b8dbc6523fe4efd80c6e6a3a23a9ff2aeb67a204

General

Target

EPDA Dec 2020 UPDATED_S.O.A Revised.exe

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.shreejilogistix.com
Port:
587
Username:
[email protected]
Password:
ZHNecv9PfHk2

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1268-11-0x0000000000C80000-0x0000000000CCD000-memory.dmp	family_agenttesla
behavioral1/memory/1268-12-0x0000000000E70000-0x0000000000EBC000-memory.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EPDA Dec 2020 UPDATED_S.O.A Revised.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Swely = "C:\\Users\\Public\\Libraries\\ylewS.url"	EPDA Dec 2020 UPDATED_S.O.A Revised.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

EPDA Dec 2020 UPDATED_S.O.A Revised.exe

description pid process target process

PID 1616 set thread context of 1268 1616 EPDA Dec 2020 UPDATED_S.O.A Revised.exe svchost.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

1268 svchost.exe
1268 svchost.exe

description	pid	process	target process
PID 1616 set thread context of 1268	1616	EPDA Dec 2020 UPDATED_S.O.A Revised.exe	svchost.exe

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1268	svchost.exe
1268	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

EPDA Dec 2020 UPDATED_S.O.A Revised.exesvchost.exe

description	pid	process
Token: SeRestorePrivilege	1616	EPDA Dec 2020 UPDATED_S.O.A Revised.exe
Token: SeBackupPrivilege	1616	EPDA Dec 2020 UPDATED_S.O.A Revised.exe
Token: SeDebugPrivilege	1268	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

EPDA Dec 2020 UPDATED_S.O.A Revised.exe

description	pid	process	target process
PID 1616 wrote to memory of 1268	1616	EPDA Dec 2020 UPDATED_S.O.A Revised.exe	svchost.exe
PID 1616 wrote to memory of 1268	1616	EPDA Dec 2020 UPDATED_S.O.A Revised.exe	svchost.exe
PID 1616 wrote to memory of 1268	1616	EPDA Dec 2020 UPDATED_S.O.A Revised.exe	svchost.exe
PID 1616 wrote to memory of 1268	1616	EPDA Dec 2020 UPDATED_S.O.A Revised.exe	svchost.exe
PID 1616 wrote to memory of 1268	1616	EPDA Dec 2020 UPDATED_S.O.A Revised.exe	svchost.exe
PID 1616 wrote to memory of 1268	1616	EPDA Dec 2020 UPDATED_S.O.A Revised.exe	svchost.exe
PID 1616 wrote to memory of 1268	1616	EPDA Dec 2020 UPDATED_S.O.A Revised.exe	svchost.exe
PID 1616 wrote to memory of 1268	1616	EPDA Dec 2020 UPDATED_S.O.A Revised.exe	svchost.exe
PID 1616 wrote to memory of 1268	1616	EPDA Dec 2020 UPDATED_S.O.A Revised.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\EPDA Dec 2020 UPDATED_S.O.A Revised.exe
"C:\Users\Admin\AppData\Local\Temp\EPDA Dec 2020 UPDATED_S.O.A Revised.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:1848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1268-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1268-11-0x0000000000C80000-0x0000000000CCD000-memory.dmp

Filesize
308KB

Download
memory/1268-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1268-5-0x000000000040CD2F-mapping.dmp

Download
memory/1268-7-0x0000000002330000-0x0000000002341000-memory.dmp

Filesize
68KB

Download
memory/1268-8-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/1268-16-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1268-15-0x0000000004884000-0x0000000004886000-memory.dmp

Filesize
8KB

Download
memory/1268-14-0x0000000004883000-0x0000000004884000-memory.dmp

Filesize
4KB

Download
memory/1268-12-0x0000000000E70000-0x0000000000EBC000-memory.dmp

Filesize
304KB

Download
memory/1268-10-0x0000000004881000-0x0000000004882000-memory.dmp

Filesize
4KB

Download
memory/1268-13-0x0000000004882000-0x0000000004883000-memory.dmp

Filesize
4KB

Download
memory/1616-2-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/1616-3-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads