agenttesla | ea14b2f05572c2086fbede5fde7c6b94b4f9a2d378680c656510f32bd1445e39

General

Target

RFQ pdf.exe

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.hermanusbearings.co.za
Port:
587
Username:
[email protected]
Password:
$Victory2019$

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1296-10-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1296-11-0x0000000000436C3E-mapping.dmp	family_agenttesla
behavioral1/memory/1296-13-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ pdf.exe

description pid process target process

PID 1832 set thread context of 1296 1832 RFQ pdf.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

848 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

RFQ pdf.exeRegSvcs.exe

pid process

1832 RFQ pdf.exe
1296 RegSvcs.exe
1296 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ pdf.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1832 RFQ pdf.exe
Token: SeDebugPrivilege 1296 RegSvcs.exe

description	pid	process	target process
PID 1832 set thread context of 1296	1832	RFQ pdf.exe	RegSvcs.exe

pid	process
848	schtasks.exe

pid	process
1832	RFQ pdf.exe
1296	RegSvcs.exe
1296	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1832	RFQ pdf.exe
Token: SeDebugPrivilege	1296	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

RFQ pdf.exe

description	pid	process	target process
PID 1832 wrote to memory of 848	1832	RFQ pdf.exe	schtasks.exe
PID 1832 wrote to memory of 848	1832	RFQ pdf.exe	schtasks.exe
PID 1832 wrote to memory of 848	1832	RFQ pdf.exe	schtasks.exe
PID 1832 wrote to memory of 848	1832	RFQ pdf.exe	schtasks.exe
PID 1832 wrote to memory of 1296	1832	RFQ pdf.exe	RegSvcs.exe
PID 1832 wrote to memory of 1296	1832	RFQ pdf.exe	RegSvcs.exe
PID 1832 wrote to memory of 1296	1832	RFQ pdf.exe	RegSvcs.exe
PID 1832 wrote to memory of 1296	1832	RFQ pdf.exe	RegSvcs.exe
PID 1832 wrote to memory of 1296	1832	RFQ pdf.exe	RegSvcs.exe
PID 1832 wrote to memory of 1296	1832	RFQ pdf.exe	RegSvcs.exe
PID 1832 wrote to memory of 1296	1832	RFQ pdf.exe	RegSvcs.exe
PID 1832 wrote to memory of 1296	1832	RFQ pdf.exe	RegSvcs.exe
PID 1832 wrote to memory of 1296	1832	RFQ pdf.exe	RegSvcs.exe
PID 1832 wrote to memory of 1296	1832	RFQ pdf.exe	RegSvcs.exe
PID 1832 wrote to memory of 1296	1832	RFQ pdf.exe	RegSvcs.exe
PID 1832 wrote to memory of 1296	1832	RFQ pdf.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\RFQ pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bqyHHleRc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F3B.tmp"
2⤵
- Creates scheduled task(s)
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2F3B.tmp
MD5
f9e89597b5a8acaf6fd869c6803cbd1a

SHA1
97a2e8044939267d442b8086a3e899124cb80ea0

SHA256
58656d89ea2c8dab68ce59e2a86559645ec017d5f990cfbeac5f9e1e08136c3e

SHA512
4e030f41091157e4806077316578ebdbaa081950b9e9c5e4ce751627b5ba6fa3d7459ae19b4a63c70d9997a6f1fd482c8f3ca9ef470b001dc28e3bd43bd2c063

Download Submit
memory/848-8-0x0000000000000000-mapping.dmp

Download
memory/1296-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1296-11-0x0000000000436C3E-mapping.dmp

Download
memory/1296-12-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1296-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1296-15-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/1832-2-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1832-3-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1832-5-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/1832-6-0x00000000002B0000-0x00000000002B3000-memory.dmp

Filesize
12KB

Download
memory/1832-7-0x0000000005BD0000-0x0000000005C2D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads