agenttesla | 983c358590898925db49d1d6a731b54d37c76760267664be45a7dc00646cff60

General

Target

SecuriteInfo.com.Win32.32289.26241.exe
Size

511KB
MD5

c59f71a02c13a01d95bf37c095895748
SHA1

59c60b6a90cec4676afcc55a1397409e9d54b792
SHA256

983c358590898925db49d1d6a731b54d37c76760267664be45a7dc00646cff60
SHA512

f3ce51dfaefb5ca303c9facf646581af0ca7e823a0bc1f13bbd927a394ba701a82a5d188726fb6c6471928d1d2469b499654520fb5eadf264f8d0b49cd5059a0

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
jason.samtani@rxcleco.com
Password:
@Mexico1.,

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1480-10-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1480-11-0x000000000043749E-mapping.dmp	family_agenttesla
behavioral1/memory/1480-13-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.32289.26241.exe

description pid process target process

PID 548 set thread context of 1480 548 SecuriteInfo.com.Win32.32289.26241.exe SecuriteInfo.com.Win32.32289.26241.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

580 schtasks.exe

description	pid	process	target process
PID 548 set thread context of 1480	548	SecuriteInfo.com.Win32.32289.26241.exe	SecuriteInfo.com.Win32.32289.26241.exe

pid	process
580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SecuriteInfo.com.Win32.32289.26241.exeSecuriteInfo.com.Win32.32289.26241.exe

pid	process
548	SecuriteInfo.com.Win32.32289.26241.exe
548	SecuriteInfo.com.Win32.32289.26241.exe
1480	SecuriteInfo.com.Win32.32289.26241.exe
1480	SecuriteInfo.com.Win32.32289.26241.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Win32.32289.26241.exeSecuriteInfo.com.Win32.32289.26241.exe

description	pid	process
Token: SeDebugPrivilege	548	SecuriteInfo.com.Win32.32289.26241.exe
Token: SeDebugPrivilege	1480	SecuriteInfo.com.Win32.32289.26241.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

SecuriteInfo.com.Win32.32289.26241.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.32289.26241.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.32289.26241.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\avJawOiuQtyAB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D92.tmp"
2⤵
- Creates scheduled task(s)
PID:580

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.32289.26241.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.32289.26241.exe"
2⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.32289.26241.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.32289.26241.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6D92.tmp
MD5
bb001896aec877de0de743d8c7c891ec

SHA1
c9ff3533350134971d6119c96fff75f82742962e

SHA256
05ce6536a7f633873a093ec2d9e1e027dddfbc8754b4d0847808b0d0ebef186b

SHA512
8b848032fa5e62702a9db3d38f751762ddf767db69b0b4430988beb637e87d118ee97b268f99ec326c34d12cd654906174aa93d540163e39777e9631d96a3d31

Download Submit
memory/548-2-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/548-3-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/548-5-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/548-6-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/548-7-0x0000000005090000-0x00000000050EE000-memory.dmp

Filesize
376KB

Download
memory/580-8-0x0000000000000000-mapping.dmp

Download
memory/1480-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1480-11-0x000000000043749E-mapping.dmp

Download
memory/1480-12-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/1480-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1480-15-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 548 wrote to memory of 580	548	SecuriteInfo.com.Win32.32289.26241.exe	schtasks.exe
PID 548 wrote to memory of 580	548	SecuriteInfo.com.Win32.32289.26241.exe	schtasks.exe
PID 548 wrote to memory of 580	548	SecuriteInfo.com.Win32.32289.26241.exe	schtasks.exe
PID 548 wrote to memory of 580	548	SecuriteInfo.com.Win32.32289.26241.exe	schtasks.exe
PID 548 wrote to memory of 1096	548	SecuriteInfo.com.Win32.32289.26241.exe	SecuriteInfo.com.Win32.32289.26241.exe
PID 548 wrote to memory of 1096	548	SecuriteInfo.com.Win32.32289.26241.exe	SecuriteInfo.com.Win32.32289.26241.exe
PID 548 wrote to memory of 1096	548	SecuriteInfo.com.Win32.32289.26241.exe	SecuriteInfo.com.Win32.32289.26241.exe
PID 548 wrote to memory of 1096	548	SecuriteInfo.com.Win32.32289.26241.exe	SecuriteInfo.com.Win32.32289.26241.exe
PID 548 wrote to memory of 1480	548	SecuriteInfo.com.Win32.32289.26241.exe	SecuriteInfo.com.Win32.32289.26241.exe
PID 548 wrote to memory of 1480	548	SecuriteInfo.com.Win32.32289.26241.exe	SecuriteInfo.com.Win32.32289.26241.exe
PID 548 wrote to memory of 1480	548	SecuriteInfo.com.Win32.32289.26241.exe	SecuriteInfo.com.Win32.32289.26241.exe
PID 548 wrote to memory of 1480	548	SecuriteInfo.com.Win32.32289.26241.exe	SecuriteInfo.com.Win32.32289.26241.exe
PID 548 wrote to memory of 1480	548	SecuriteInfo.com.Win32.32289.26241.exe	SecuriteInfo.com.Win32.32289.26241.exe
PID 548 wrote to memory of 1480	548	SecuriteInfo.com.Win32.32289.26241.exe	SecuriteInfo.com.Win32.32289.26241.exe
PID 548 wrote to memory of 1480	548	SecuriteInfo.com.Win32.32289.26241.exe	SecuriteInfo.com.Win32.32289.26241.exe
PID 548 wrote to memory of 1480	548	SecuriteInfo.com.Win32.32289.26241.exe	SecuriteInfo.com.Win32.32289.26241.exe
PID 548 wrote to memory of 1480	548	SecuriteInfo.com.Win32.32289.26241.exe	SecuriteInfo.com.Win32.32289.26241.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads