agenttesla | 51af0a175f8c7ef9d3e6b06b54ed1c8b4175f21ebac90816c6c36fd0e62ef654

General

Target

35742.exe
Size

763KB
MD5

475f12cc2635e010575a69ea39b22968
SHA1

17ac5e0c5e50808d5bb495d63f478687fdd297ab
SHA256

51af0a175f8c7ef9d3e6b06b54ed1c8b4175f21ebac90816c6c36fd0e62ef654
SHA512

57be18e887239afd6290715cfd1df6c1afa2e2a6c360c7a7905ddffe13cb669624092b2adb3d2452d95b6c9b5502d2319d03e52bb4c704f291ab81042aa70854

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://45.141.152.18/
Port:
21
Username:
[email protected]
Password:
wTk4W1Uhkp5u

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/412-127-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/412-128-0x000000000043760E-mapping.dmp	family_agenttesla
behavioral2/memory/412-134-0x00000000051A0000-0x000000000569E000-memory.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

35742.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\hZpzJs = "C:\\Users\\Admin\\AppData\\Roaming\\hZpzJs\\hZpzJs.exe"	35742.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

35742.exe

description pid process target process

PID 3656 set thread context of 412 3656 35742.exe 35742.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

740 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

35742.exe35742.exe

pid process

3656 35742.exe
3656 35742.exe
3656 35742.exe
3656 35742.exe
412 35742.exe
412 35742.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

35742.exe

pid process

412 35742.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

35742.exe35742.exe

description pid process

Token: SeDebugPrivilege 3656 35742.exe
Token: SeDebugPrivilege 412 35742.exe

description	pid	process	target process
PID 3656 set thread context of 412	3656	35742.exe	35742.exe

pid	process
740	schtasks.exe

pid	process
3656	35742.exe
3656	35742.exe
3656	35742.exe
3656	35742.exe
412	35742.exe
412	35742.exe

pid	process
412	35742.exe

description	pid	process
Token: SeDebugPrivilege	3656	35742.exe
Token: SeDebugPrivilege	412	35742.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

35742.exe

description	pid	process	target process
PID 3656 wrote to memory of 740	3656	35742.exe	schtasks.exe
PID 3656 wrote to memory of 740	3656	35742.exe	schtasks.exe
PID 3656 wrote to memory of 740	3656	35742.exe	schtasks.exe
PID 3656 wrote to memory of 412	3656	35742.exe	35742.exe
PID 3656 wrote to memory of 412	3656	35742.exe	35742.exe
PID 3656 wrote to memory of 412	3656	35742.exe	35742.exe
PID 3656 wrote to memory of 412	3656	35742.exe	35742.exe
PID 3656 wrote to memory of 412	3656	35742.exe	35742.exe
PID 3656 wrote to memory of 412	3656	35742.exe	35742.exe
PID 3656 wrote to memory of 412	3656	35742.exe	35742.exe
PID 3656 wrote to memory of 412	3656	35742.exe	35742.exe

C:\Users\Admin\AppData\Local\Temp\35742.exe
"C:\Users\Admin\AppData\Local\Temp\35742.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rveyuOyOEbQqxH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC545.tmp"
2⤵
- Creates scheduled task(s)
PID:740

C:\Users\Admin\AppData\Local\Temp\35742.exe
"C:\Users\Admin\AppData\Local\Temp\35742.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:412

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\35742.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC545.tmp
MD5
8a14dc07732e0c779ad0336043a3b7af

SHA1
a4902ccb6bd4169da4775337d5d1cc580a574834

SHA256
03baa906db5affbdde548bd742550daf74f4c410c4242c3b3a710ef490862b88

SHA512
dee331f45f9d90c9769d3814252909d1c3c2c96a3bd88acfb8b336d4c15c873770dc0edf31a2ae3ef7cca9f00f565a98dae6b1e3253e999ee5e1b549d5c37ba1

Download Submit
memory/412-136-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/412-135-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/412-134-0x00000000051A0000-0x000000000569E000-memory.dmp

Filesize
5.0MB

Download
memory/412-128-0x000000000043760E-mapping.dmp

Download
memory/412-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/740-125-0x0000000000000000-mapping.dmp

Download
memory/3656-119-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/3656-124-0x0000000000AE0000-0x0000000000B28000-memory.dmp

Filesize
288KB

Download
memory/3656-123-0x0000000006E00000-0x0000000006E84000-memory.dmp

Filesize
528KB

Download
memory/3656-122-0x0000000004970000-0x0000000004A0C000-memory.dmp

Filesize
624KB

Download
memory/3656-121-0x0000000004FC0000-0x0000000004FC9000-memory.dmp

Filesize
36KB

Download
memory/3656-120-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3656-114-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3656-118-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/3656-117-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3656-116-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads