agenttesla | 371a74d7e241249d2fca30e3d0b61c1d734e17a670bac95d88ae1793cf908f7e

General

Target

4019223246.exe
Size

578KB
MD5

cbbc71d2c2f3e4fb43d79aa0c2286eb0
SHA1

83b3a1cb0e58d08e67de440aee069a6310ffbf05
SHA256

371a74d7e241249d2fca30e3d0b61c1d734e17a670bac95d88ae1793cf908f7e
SHA512

b2a9795ed6947318e96b6dfd6af3d8e7f1803917ef70f6119524966d5b0f00d93071595cc4fa4b890c0aca9712060fd33b8ffddbfd7735f02fc88af269bc4c2d

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
parida@1971@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2716-15-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2716-16-0x00000000004374EE-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

4019223246.exe

description pid process target process

PID 528 set thread context of 2716 528 4019223246.exe 4019223246.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2268 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4019223246.exe

pid process

2716 4019223246.exe
2716 4019223246.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4019223246.exe

description pid process

Token: SeDebugPrivilege 2716 4019223246.exe

description	pid	process	target process
PID 528 set thread context of 2716	528	4019223246.exe	4019223246.exe

pid	process
2268	schtasks.exe

pid	process
2716	4019223246.exe
2716	4019223246.exe

description	pid	process
Token: SeDebugPrivilege	2716	4019223246.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

4019223246.exe

description	pid	process	target process
PID 528 wrote to memory of 2268	528	4019223246.exe	schtasks.exe
PID 528 wrote to memory of 2268	528	4019223246.exe	schtasks.exe
PID 528 wrote to memory of 2268	528	4019223246.exe	schtasks.exe
PID 528 wrote to memory of 2716	528	4019223246.exe	4019223246.exe
PID 528 wrote to memory of 2716	528	4019223246.exe	4019223246.exe
PID 528 wrote to memory of 2716	528	4019223246.exe	4019223246.exe
PID 528 wrote to memory of 2716	528	4019223246.exe	4019223246.exe
PID 528 wrote to memory of 2716	528	4019223246.exe	4019223246.exe
PID 528 wrote to memory of 2716	528	4019223246.exe	4019223246.exe
PID 528 wrote to memory of 2716	528	4019223246.exe	4019223246.exe
PID 528 wrote to memory of 2716	528	4019223246.exe	4019223246.exe

C:\Users\Admin\AppData\Local\Temp\4019223246.exe
"C:\Users\Admin\AppData\Local\Temp\4019223246.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OogvJNZWDrsEN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE291.tmp"
2⤵
- Creates scheduled task(s)
PID:2268

C:\Users\Admin\AppData\Local\Temp\4019223246.exe
"C:\Users\Admin\AppData\Local\Temp\4019223246.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4019223246.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE291.tmp
MD5
ec0a25e37872adb80390229711e18475

SHA1
031ddd2cc6824ca0ef99090fb5c87239339f451c

SHA256
007d85e2f2ad08dea5bb13e4b463a1cb3abafe150dc31c30d8464811b07f89f1

SHA512
36bf18a50f378fb0b25447be9e73fb228147edb6427acfc00d31cfa305e3509444783eed23ba4de9c722e5328cb2f7dac2a031649f9a89ab6cca5de27dce54cd

Download Submit
memory/528-11-0x0000000008880000-0x0000000008883000-memory.dmp

Filesize
12KB

Download
memory/528-5-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/528-7-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/528-8-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/528-9-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/528-10-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/528-2-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/528-12-0x0000000001240000-0x000000000129C000-memory.dmp

Filesize
368KB

Download
memory/528-3-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/528-6-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/2268-13-0x0000000000000000-mapping.dmp

Download
memory/2716-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2716-16-0x00000000004374EE-mapping.dmp

Download
memory/2716-18-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-23-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/2716-24-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/2716-25-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads