agenttesla | a2f1773e4b9146563dbf711ca1462448a7a847f8b6660424f72faaa5fa9b20d4

General

Target

okxnbryfdgrlugbkshbgfjsh.exe
Size

523KB
MD5

c4242be5efb3c3833c20e3ca293c7375
SHA1

aa8c78515a6f0043c08b74fe142654ed59da5124
SHA256

a2f1773e4b9146563dbf711ca1462448a7a847f8b6660424f72faaa5fa9b20d4
SHA512

6b11e6706a75175e2890348c9de8464b6989dc2938ed54651a2e08b999b84b50f38f58aaff8730f48117e61cd93840a9352fe66761b55d4ebc9140b9eb27308b

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
GODBLESSUS123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/832-10-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/832-11-0x000000000043749E-mapping.dmp	family_agenttesla
behavioral1/memory/832-13-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

okxnbryfdgrlugbkshbgfjsh.exe

description pid process target process

PID 380 set thread context of 832 380 okxnbryfdgrlugbkshbgfjsh.exe okxnbryfdgrlugbkshbgfjsh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1284 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

okxnbryfdgrlugbkshbgfjsh.exe

pid process

832 okxnbryfdgrlugbkshbgfjsh.exe
832 okxnbryfdgrlugbkshbgfjsh.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

okxnbryfdgrlugbkshbgfjsh.exe

description pid process

Token: SeDebugPrivilege 832 okxnbryfdgrlugbkshbgfjsh.exe

description	pid	process	target process
PID 380 set thread context of 832	380	okxnbryfdgrlugbkshbgfjsh.exe	okxnbryfdgrlugbkshbgfjsh.exe

pid	process
1284	schtasks.exe

pid	process
832	okxnbryfdgrlugbkshbgfjsh.exe
832	okxnbryfdgrlugbkshbgfjsh.exe

description	pid	process
Token: SeDebugPrivilege	832	okxnbryfdgrlugbkshbgfjsh.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

okxnbryfdgrlugbkshbgfjsh.exe

description	pid	process	target process
PID 380 wrote to memory of 1284	380	okxnbryfdgrlugbkshbgfjsh.exe	schtasks.exe
PID 380 wrote to memory of 1284	380	okxnbryfdgrlugbkshbgfjsh.exe	schtasks.exe
PID 380 wrote to memory of 1284	380	okxnbryfdgrlugbkshbgfjsh.exe	schtasks.exe
PID 380 wrote to memory of 1284	380	okxnbryfdgrlugbkshbgfjsh.exe	schtasks.exe
PID 380 wrote to memory of 832	380	okxnbryfdgrlugbkshbgfjsh.exe	okxnbryfdgrlugbkshbgfjsh.exe
PID 380 wrote to memory of 832	380	okxnbryfdgrlugbkshbgfjsh.exe	okxnbryfdgrlugbkshbgfjsh.exe
PID 380 wrote to memory of 832	380	okxnbryfdgrlugbkshbgfjsh.exe	okxnbryfdgrlugbkshbgfjsh.exe
PID 380 wrote to memory of 832	380	okxnbryfdgrlugbkshbgfjsh.exe	okxnbryfdgrlugbkshbgfjsh.exe
PID 380 wrote to memory of 832	380	okxnbryfdgrlugbkshbgfjsh.exe	okxnbryfdgrlugbkshbgfjsh.exe
PID 380 wrote to memory of 832	380	okxnbryfdgrlugbkshbgfjsh.exe	okxnbryfdgrlugbkshbgfjsh.exe
PID 380 wrote to memory of 832	380	okxnbryfdgrlugbkshbgfjsh.exe	okxnbryfdgrlugbkshbgfjsh.exe
PID 380 wrote to memory of 832	380	okxnbryfdgrlugbkshbgfjsh.exe	okxnbryfdgrlugbkshbgfjsh.exe
PID 380 wrote to memory of 832	380	okxnbryfdgrlugbkshbgfjsh.exe	okxnbryfdgrlugbkshbgfjsh.exe

C:\Users\Admin\AppData\Local\Temp\okxnbryfdgrlugbkshbgfjsh.exe
"C:\Users\Admin\AppData\Local\Temp\okxnbryfdgrlugbkshbgfjsh.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNqaGW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1284
- C:\Users\Admin\AppData\Local\Temp\okxnbryfdgrlugbkshbgfjsh.exe
  "C:\Users\Admin\AppData\Local\Temp\okxnbryfdgrlugbkshbgfjsh.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp

MD5
93de0f47b98855e15f7b052c54274488

SHA1
262d4516abb1e5f8a050139c984a3dc1a4562436

SHA256
25964d689e6a16ace885168627481e568d320cc10910817d4e7af3a916eb13c4

SHA512
0cda5d3a283bd5e03a1f719ae926f93db1f2492b9ae1ce8ccfa436bfbb59f3900433f46b5a301fe5c25e5428918758ccbe00490b1663027a19f58d5ba80ef183

Download Submit
memory/380-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/380-3-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/380-5-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/380-6-0x0000000000530000-0x0000000000533000-memory.dmp

Filesize
12KB

Download
memory/380-7-0x0000000004BA0000-0x0000000004BFC000-memory.dmp

Filesize
368KB

Download
memory/832-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-11-0x000000000043749E-mapping.dmp

Download
memory/832-12-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/832-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-15-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1284-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads