agenttesla | 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7

General

Target

0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
Size

1.2MB
MD5

eef6884d0bb02a34de95bae6f9a73d96
SHA1

ca4b15eb51c602c16389947716fee3e143e739ef
SHA256

0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7
SHA512

3bbce19ddaa9d7494d9cfcebe20c3e5fbe0aecdb6bc419b01f392291060ba53b4b03020e19e9442c35122744b5df7c48829740ec1d7def9d186d01a51a3e5b30

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.hybridgroupco.com
Port:
587
Username:
[email protected]
Password:
y.NI13R&oE(,

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1308-10-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1308-11-0x000000000043760E-mapping.dmp	family_agenttesla
behavioral1/memory/1308-13-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

description	pid	process	target process
PID 1764 set thread context of 1308	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1372 schtasks.exe

pid	process
1372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

pid	process
1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
1308	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
1308	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

description	pid	process
Token: SeDebugPrivilege	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
Token: SeDebugPrivilege	1308	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

description	pid	process	target process
PID 1764 wrote to memory of 1372	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	schtasks.exe
PID 1764 wrote to memory of 1372	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	schtasks.exe
PID 1764 wrote to memory of 1372	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	schtasks.exe
PID 1764 wrote to memory of 1372	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	schtasks.exe
PID 1764 wrote to memory of 1308	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 1764 wrote to memory of 1308	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 1764 wrote to memory of 1308	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 1764 wrote to memory of 1308	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 1764 wrote to memory of 1308	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 1764 wrote to memory of 1308	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 1764 wrote to memory of 1308	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 1764 wrote to memory of 1308	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 1764 wrote to memory of 1308	1764	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

C:\Users\Admin\AppData\Local\Temp\0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
"C:\Users\Admin\AppData\Local\Temp\0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cGAmxwwzOQQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D36.tmp"
2⤵
- Creates scheduled task(s)
PID:1372

C:\Users\Admin\AppData\Local\Temp\0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
"C:\Users\Admin\AppData\Local\Temp\0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4D36.tmp
MD5
3ebf0bec455da290217b07d7442c19e8

SHA1
d5033401decd421e9d91491529ebd26535d4b35b

SHA256
5656133e3820731ded9001d3caef44b47330a89c3e0f15487da952871f762834

SHA512
552b2d58da096d7de36fdacff58e0faf6c79f7edee6e5aa25b5556f33d7b07ee5334de91a7cb5a2b39314847bc1a5cd0d8f81dfe765087ae2fde63ea2f24912f

Download Submit
memory/1308-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1308-11-0x000000000043760E-mapping.dmp

Download
memory/1308-12-0x0000000074DD0000-0x00000000754BE000-memory.dmp

Filesize
6.9MB

Download
memory/1308-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1308-15-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1372-8-0x0000000000000000-mapping.dmp

Download
memory/1764-2-0x0000000074DD0000-0x00000000754BE000-memory.dmp

Filesize
6.9MB

Download
memory/1764-3-0x0000000010A30000-0x0000000010A31000-memory.dmp

Filesize
4KB

Download
memory/1764-5-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/1764-6-0x0000000000530000-0x0000000000533000-memory.dmp

Filesize
12KB

Download
memory/1764-7-0x00000000052E0000-0x0000000005387000-memory.dmp

Filesize
668KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads