agenttesla | c41ed5dd41446e88d3d14ccab8d52c7581c6d09dc6ce14c05866384ac5a1ee37

General

Target

SOA MARCH 2021.exe
Size

724KB
MD5

33c12d55fd798df965c7ade79fab99b2
SHA1

d05278f2b8b9d3d47aaccb8c8a2f26d06e5548c0
SHA256

c41ed5dd41446e88d3d14ccab8d52c7581c6d09dc6ce14c05866384ac5a1ee37
SHA512

7aaca413b132073865762e0f60560b1f2540ae1f920c508d64872d84cfe2598b35327e8ab440fbed2c6c98cdde4421363533d8bc475469cd6f28eff04f521220

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.vivaldi.net
Port:
587
Username:
Ricardo2021@vivaldi.net
Password:
Qwerty2020Hp##

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/808-66-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/808-67-0x00000000004374CE-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

SOA MARCH 2021.exe

description pid process target process

PID 2004 set thread context of 808 2004 SOA MARCH 2021.exe SOA MARCH 2021.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

772 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

SOA MARCH 2021.exeSOA MARCH 2021.exe

pid process

2004 SOA MARCH 2021.exe
2004 SOA MARCH 2021.exe
2004 SOA MARCH 2021.exe
808 SOA MARCH 2021.exe
808 SOA MARCH 2021.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SOA MARCH 2021.exeSOA MARCH 2021.exe

description pid process

Token: SeDebugPrivilege 2004 SOA MARCH 2021.exe
Token: SeDebugPrivilege 808 SOA MARCH 2021.exe

description	pid	process	target process
PID 2004 set thread context of 808	2004	SOA MARCH 2021.exe	SOA MARCH 2021.exe

pid	process
772	schtasks.exe

pid	process
2004	SOA MARCH 2021.exe
2004	SOA MARCH 2021.exe
2004	SOA MARCH 2021.exe
808	SOA MARCH 2021.exe
808	SOA MARCH 2021.exe

description	pid	process
Token: SeDebugPrivilege	2004	SOA MARCH 2021.exe
Token: SeDebugPrivilege	808	SOA MARCH 2021.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

SOA MARCH 2021.exeSOA MARCH 2021.exe

description	pid	process	target process
PID 2004 wrote to memory of 772	2004	SOA MARCH 2021.exe	schtasks.exe
PID 2004 wrote to memory of 772	2004	SOA MARCH 2021.exe	schtasks.exe
PID 2004 wrote to memory of 772	2004	SOA MARCH 2021.exe	schtasks.exe
PID 2004 wrote to memory of 772	2004	SOA MARCH 2021.exe	schtasks.exe
PID 2004 wrote to memory of 808	2004	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 2004 wrote to memory of 808	2004	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 2004 wrote to memory of 808	2004	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 2004 wrote to memory of 808	2004	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 2004 wrote to memory of 808	2004	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 2004 wrote to memory of 808	2004	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 2004 wrote to memory of 808	2004	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 2004 wrote to memory of 808	2004	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 2004 wrote to memory of 808	2004	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 808 wrote to memory of 1452	808	SOA MARCH 2021.exe	dw20.exe
PID 808 wrote to memory of 1452	808	SOA MARCH 2021.exe	dw20.exe
PID 808 wrote to memory of 1452	808	SOA MARCH 2021.exe	dw20.exe
PID 808 wrote to memory of 1452	808	SOA MARCH 2021.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\SOA MARCH 2021.exe
"C:\Users\Admin\AppData\Local\Temp\SOA MARCH 2021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uWJTdif" /XML "C:\Users\Admin\AppData\Local\Temp\tmp956C.tmp"
2⤵
- Creates scheduled task(s)
PID:772

C:\Users\Admin\AppData\Local\Temp\SOA MARCH 2021.exe
"C:\Users\Admin\AppData\Local\Temp\SOA MARCH 2021.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 520
3⤵
PID:1452

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp956C.tmp
MD5
e40754dafa2b4bd7ba1a6374c3e1f9b3

SHA1
dcf88c6876b4a45529c5b04a9de4c2f68a45e0a4

SHA256
9c6b256ea0e574b267db1c7adcb023e83b3dfedb599b5f7ebb5fb61d44445fb2

SHA512
bdf1e1d263f1f581d006dd95e728970c987964e3e3e3c5bd5e0a79b514cc4744545eda2535ac1cd9d2c517d79a82f6b385f7c6afdf815ffc8dd257d99a8bb365

Download Submit
memory/772-64-0x0000000000000000-mapping.dmp

Download
memory/808-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/808-67-0x00000000004374CE-mapping.dmp

Download
memory/808-69-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1452-70-0x0000000000000000-mapping.dmp

Download
memory/1452-72-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2004-60-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/2004-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2004-62-0x0000000000231000-0x0000000000232000-memory.dmp

Filesize
4KB

Download
memory/2004-63-0x000000007EF50000-0x000000007EF51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads