agenttesla | 0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7

General

Target

0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
Size

1.2MB
MD5

eef6884d0bb02a34de95bae6f9a73d96
SHA1

ca4b15eb51c602c16389947716fee3e143e739ef
SHA256

0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7
SHA512

3bbce19ddaa9d7494d9cfcebe20c3e5fbe0aecdb6bc419b01f392291060ba53b4b03020e19e9442c35122744b5df7c48829740ec1d7def9d186d01a51a3e5b30

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.hybridgroupco.com
Port:
587
Username:
[email protected]
Password:
y.NI13R&oE(,

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2096-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2096-15-0x000000000043760E-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

description	pid	process	target process
PID 756 set thread context of 2096	756	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1452 schtasks.exe

pid	process
1452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

pid	process
2096	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
2096	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

description	pid	process
Token: SeDebugPrivilege	756	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
Token: SeDebugPrivilege	2096	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

description	pid	process	target process
PID 756 wrote to memory of 1452	756	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	schtasks.exe
PID 756 wrote to memory of 1452	756	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	schtasks.exe
PID 756 wrote to memory of 1452	756	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	schtasks.exe
PID 756 wrote to memory of 2096	756	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 756 wrote to memory of 2096	756	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 756 wrote to memory of 2096	756	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 756 wrote to memory of 2096	756	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 756 wrote to memory of 2096	756	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 756 wrote to memory of 2096	756	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 756 wrote to memory of 2096	756	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
PID 756 wrote to memory of 2096	756	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe	0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe

C:\Users\Admin\AppData\Local\Temp\0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
"C:\Users\Admin\AppData\Local\Temp\0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cGAmxwwzOQQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C14.tmp"
2⤵
- Creates scheduled task(s)
PID:1452

C:\Users\Admin\AppData\Local\Temp\0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe
"C:\Users\Admin\AppData\Local\Temp\0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0b294a86c7a96940273ae96e52524162e31f869dd6b79100061de0399079c4e7.exe.log
MD5
c3cc52ccca9ff2b6fa8d267fc350ca6b

SHA1
a68d4028333296d222e4afd75dea36fdc98d05f3

SHA256
3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

SHA512
b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C14.tmp
MD5
5adb888d8e90fa8343490e4bf01eac1e

SHA1
fedc1415096870dbfc3a6c6ac4e53adea3db0fa1

SHA256
e12d684255b823a8b4258ce2c4d5ac91c3d004afec6b621321b9b671fa946dd5

SHA512
7e48d5aba485e66e1820aea0fc59d321f19ff8bd7cee7f9bd271de8b9514b4d812e0b8a4f2e751961c580e2ea6fb9013a0e3000246fc1937d1568c3455cd4009

Download Submit
memory/756-11-0x0000000006150000-0x00000000061F7000-memory.dmp

Filesize
668KB

Download
memory/756-3-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/756-7-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/756-8-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/756-9-0x00000000053F0000-0x00000000053F3000-memory.dmp

Filesize
12KB

Download
memory/756-10-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/756-2-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/756-6-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/756-5-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/1452-12-0x0000000000000000-mapping.dmp

Download
memory/2096-15-0x000000000043760E-mapping.dmp

Download
memory/2096-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2096-17-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/2096-22-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2096-23-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2096-24-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads