agenttesla | 282b5d50f956c8ac1dea9080f1ba21129ce937a6d234fad62e17136509ac5166

General

Target

be39908fb0cae5cdbbb7982a6ace4f23.exe
Size

1.0MB
MD5

be39908fb0cae5cdbbb7982a6ace4f23
SHA1

f19fd7e8c80393e59ab19954d7b67b8323c0496e
SHA256

282b5d50f956c8ac1dea9080f1ba21129ce937a6d234fad62e17136509ac5166
SHA512

8a1aa9de76754a21736ab83fb3b98d9cffb49dbb2e60f21092c64d09debcb08ff912352f1df641e36943fd257e7c88fcc11f71479baf825c747b5bca25268c9b

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.scrablex.com
Port:
587
Username:
[email protected]
Password:
Chisom123.

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2940-128-0x00000000004375DE-mapping.dmp	family_agenttesla
behavioral2/memory/2940-127-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

be39908fb0cae5cdbbb7982a6ace4f23.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\aKZoqyj = "C:\\Users\\Admin\\AppData\\Roaming\\aKZoqyj\\aKZoqyj.exe"	be39908fb0cae5cdbbb7982a6ace4f23.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

be39908fb0cae5cdbbb7982a6ace4f23.exe

description pid process target process

PID 856 set thread context of 2940 856 be39908fb0cae5cdbbb7982a6ace4f23.exe be39908fb0cae5cdbbb7982a6ace4f23.exe

description	pid	process	target process
PID 856 set thread context of 2940	856	be39908fb0cae5cdbbb7982a6ace4f23.exe	be39908fb0cae5cdbbb7982a6ace4f23.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

be39908fb0cae5cdbbb7982a6ace4f23.exebe39908fb0cae5cdbbb7982a6ace4f23.exe

pid	process
856	be39908fb0cae5cdbbb7982a6ace4f23.exe
856	be39908fb0cae5cdbbb7982a6ace4f23.exe
856	be39908fb0cae5cdbbb7982a6ace4f23.exe
856	be39908fb0cae5cdbbb7982a6ace4f23.exe
856	be39908fb0cae5cdbbb7982a6ace4f23.exe
2940	be39908fb0cae5cdbbb7982a6ace4f23.exe
2940	be39908fb0cae5cdbbb7982a6ace4f23.exe
2940	be39908fb0cae5cdbbb7982a6ace4f23.exe
2940	be39908fb0cae5cdbbb7982a6ace4f23.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

be39908fb0cae5cdbbb7982a6ace4f23.exebe39908fb0cae5cdbbb7982a6ace4f23.exe

description pid process

Token: SeDebugPrivilege 856 be39908fb0cae5cdbbb7982a6ace4f23.exe
Token: SeDebugPrivilege 2940 be39908fb0cae5cdbbb7982a6ace4f23.exe

description	pid	process
Token: SeDebugPrivilege	856	be39908fb0cae5cdbbb7982a6ace4f23.exe
Token: SeDebugPrivilege	2940	be39908fb0cae5cdbbb7982a6ace4f23.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

be39908fb0cae5cdbbb7982a6ace4f23.exe

description	pid	process	target process
PID 856 wrote to memory of 3580	856	be39908fb0cae5cdbbb7982a6ace4f23.exe	be39908fb0cae5cdbbb7982a6ace4f23.exe
PID 856 wrote to memory of 3580	856	be39908fb0cae5cdbbb7982a6ace4f23.exe	be39908fb0cae5cdbbb7982a6ace4f23.exe
PID 856 wrote to memory of 3580	856	be39908fb0cae5cdbbb7982a6ace4f23.exe	be39908fb0cae5cdbbb7982a6ace4f23.exe
PID 856 wrote to memory of 2940	856	be39908fb0cae5cdbbb7982a6ace4f23.exe	be39908fb0cae5cdbbb7982a6ace4f23.exe
PID 856 wrote to memory of 2940	856	be39908fb0cae5cdbbb7982a6ace4f23.exe	be39908fb0cae5cdbbb7982a6ace4f23.exe
PID 856 wrote to memory of 2940	856	be39908fb0cae5cdbbb7982a6ace4f23.exe	be39908fb0cae5cdbbb7982a6ace4f23.exe
PID 856 wrote to memory of 2940	856	be39908fb0cae5cdbbb7982a6ace4f23.exe	be39908fb0cae5cdbbb7982a6ace4f23.exe
PID 856 wrote to memory of 2940	856	be39908fb0cae5cdbbb7982a6ace4f23.exe	be39908fb0cae5cdbbb7982a6ace4f23.exe
PID 856 wrote to memory of 2940	856	be39908fb0cae5cdbbb7982a6ace4f23.exe	be39908fb0cae5cdbbb7982a6ace4f23.exe
PID 856 wrote to memory of 2940	856	be39908fb0cae5cdbbb7982a6ace4f23.exe	be39908fb0cae5cdbbb7982a6ace4f23.exe
PID 856 wrote to memory of 2940	856	be39908fb0cae5cdbbb7982a6ace4f23.exe	be39908fb0cae5cdbbb7982a6ace4f23.exe

C:\Users\Admin\AppData\Local\Temp\be39908fb0cae5cdbbb7982a6ace4f23.exe
"C:\Users\Admin\AppData\Local\Temp\be39908fb0cae5cdbbb7982a6ace4f23.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\be39908fb0cae5cdbbb7982a6ace4f23.exe
  "C:\Users\Admin\AppData\Local\Temp\be39908fb0cae5cdbbb7982a6ace4f23.exe"
  2⤵
  PID:3580
- C:\Users\Admin\AppData\Local\Temp\be39908fb0cae5cdbbb7982a6ace4f23.exe
  "C:\Users\Admin\AppData\Local\Temp\be39908fb0cae5cdbbb7982a6ace4f23.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\be39908fb0cae5cdbbb7982a6ace4f23.exe.log

MD5
65f1f0c7993639f9f9e1d524224a2c93

SHA1
5b51a6a56f3041dbc2d3f510252bbe68ffbbc59c

SHA256
e582e80a644a998d1b2958bdcb0cd1e899076befa7c5e868d033b3fe75a2ca93

SHA512
3e8953968bbc31f3105a0df28b95edfb4cee8af78ec527d47707b82e3d5fc2aa725fca574de3c963da53614e60d282408b21d075eed007be25679e9458bf1c23

Download Submit
memory/856-123-0x0000000006850000-0x0000000006859000-memory.dmp

Filesize
36KB

Download
memory/856-120-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/856-124-0x000000007F090000-0x000000007F091000-memory.dmp

Filesize
4KB

Download
memory/856-119-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/856-125-0x0000000006B10000-0x0000000006B95000-memory.dmp

Filesize
532KB

Download
memory/856-121-0x00000000057B0000-0x0000000005CAE000-memory.dmp

Filesize
5.0MB

Download
memory/856-122-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/856-126-0x0000000001700000-0x000000000174B000-memory.dmp

Filesize
300KB

Download
memory/856-118-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/856-117-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

Filesize
4KB

Download
memory/856-114-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/856-116-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/2940-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2940-128-0x00000000004375DE-mapping.dmp

Download
memory/2940-134-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/2940-135-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/2940-136-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads