agenttesla | 26b8405b53da2fa69471859793721f24e5c407bb4d2af8537e21e244c4363f55

General

Target

Copyofreceipt.scr
Size

507KB
MD5

6f9340718bf2defbdb4b438d80857fb3
SHA1

ddfe78ec1db2fbec98ee87235938223360bae49d
SHA256

26b8405b53da2fa69471859793721f24e5c407bb4d2af8537e21e244c4363f55
SHA512

d971042a10a141cb876d2ae3a69ebc7b9cfb740238b83fc59424344b15c2d9baa09c624a925878c6a5e9e9de8f36cef34d49a6aa65b5a729d4aa56da4a112b82

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.ccglass.co.za
Port:
587
Username:
zenovia@ccglass.co.za
Password:
Tum145ram@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1452-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/1452-15-0x000000000043761E-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

Copyofreceipt.scr

description pid process target process

PID 1404 set thread context of 1452 1404 Copyofreceipt.scr Copyofreceipt.scr
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1316 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Copyofreceipt.scr

pid process

1452 Copyofreceipt.scr
1452 Copyofreceipt.scr
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Copyofreceipt.scr

description pid process

Token: SeDebugPrivilege 1452 Copyofreceipt.scr

description	pid	process	target process
PID 1404 set thread context of 1452	1404	Copyofreceipt.scr	Copyofreceipt.scr

pid	process
1316	schtasks.exe

pid	process
1452	Copyofreceipt.scr
1452	Copyofreceipt.scr

description	pid	process
Token: SeDebugPrivilege	1452	Copyofreceipt.scr

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Copyofreceipt.scr

description	pid	process	target process
PID 1404 wrote to memory of 1316	1404	Copyofreceipt.scr	schtasks.exe
PID 1404 wrote to memory of 1316	1404	Copyofreceipt.scr	schtasks.exe
PID 1404 wrote to memory of 1316	1404	Copyofreceipt.scr	schtasks.exe
PID 1404 wrote to memory of 1452	1404	Copyofreceipt.scr	Copyofreceipt.scr
PID 1404 wrote to memory of 1452	1404	Copyofreceipt.scr	Copyofreceipt.scr
PID 1404 wrote to memory of 1452	1404	Copyofreceipt.scr	Copyofreceipt.scr
PID 1404 wrote to memory of 1452	1404	Copyofreceipt.scr	Copyofreceipt.scr
PID 1404 wrote to memory of 1452	1404	Copyofreceipt.scr	Copyofreceipt.scr
PID 1404 wrote to memory of 1452	1404	Copyofreceipt.scr	Copyofreceipt.scr
PID 1404 wrote to memory of 1452	1404	Copyofreceipt.scr	Copyofreceipt.scr
PID 1404 wrote to memory of 1452	1404	Copyofreceipt.scr	Copyofreceipt.scr

C:\Users\Admin\AppData\Local\Temp\Copyofreceipt.scr
"C:\Users\Admin\AppData\Local\Temp\Copyofreceipt.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZnTVKjXRZvpJV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2353.tmp"
2⤵
- Creates scheduled task(s)
PID:1316

C:\Users\Admin\AppData\Local\Temp\Copyofreceipt.scr
"C:\Users\Admin\AppData\Local\Temp\Copyofreceipt.scr"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Copyofreceipt.scr.log
MD5
c3cc52ccca9ff2b6fa8d267fc350ca6b

SHA1
a68d4028333296d222e4afd75dea36fdc98d05f3

SHA256
3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

SHA512
b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2353.tmp
MD5
cce0be75a8cafd2dd1a64b759232c14a

SHA1
13973ffd896a8df74618f1e4120c6217103e523e

SHA256
04567beaf9eab0d277798398c1c20f5182743e415c09142371bb44621c1dc879

SHA512
edd000a9d797587db64446bb0905c34bec77abb896fde2393f1b1b435b0c2ff6d5fea5af315027615263218a8b6ba34782248dba83b3bf6ea51724f882e6fd42

Download Submit
memory/1316-12-0x0000000000000000-mapping.dmp

Download
memory/1404-11-0x0000000007240000-0x000000000729E000-memory.dmp

Filesize
376KB

Download
memory/1404-5-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/1404-8-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/1404-9-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/1404-10-0x0000000005650000-0x0000000005653000-memory.dmp

Filesize
12KB

Download
memory/1404-2-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/1404-6-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/1404-7-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/1404-3-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1452-15-0x000000000043761E-mapping.dmp

Download
memory/1452-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1452-17-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/1452-22-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/1452-23-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1452-24-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads