agenttesla | c41ed5dd41446e88d3d14ccab8d52c7581c6d09dc6ce14c05866384ac5a1ee37

General

Target

SOA MARCH 2021.exe
Size

724KB
MD5

33c12d55fd798df965c7ade79fab99b2
SHA1

d05278f2b8b9d3d47aaccb8c8a2f26d06e5548c0
SHA256

c41ed5dd41446e88d3d14ccab8d52c7581c6d09dc6ce14c05866384ac5a1ee37
SHA512

7aaca413b132073865762e0f60560b1f2540ae1f920c508d64872d84cfe2598b35327e8ab440fbed2c6c98cdde4421363533d8bc475469cd6f28eff04f521220

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.vivaldi.net
Port:
587
Username:
Ricardo2021@vivaldi.net
Password:
Qwerty2020Hp##

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1548-119-0x00000000004374CE-mapping.dmp	family_agenttesla
behavioral2/memory/1548-118-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

SOA MARCH 2021.exe

description pid process target process

PID 996 set thread context of 1548 996 SOA MARCH 2021.exe SOA MARCH 2021.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

936 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SOA MARCH 2021.exeSOA MARCH 2021.exe

pid process

996 SOA MARCH 2021.exe
996 SOA MARCH 2021.exe
996 SOA MARCH 2021.exe
996 SOA MARCH 2021.exe
1548 SOA MARCH 2021.exe
1548 SOA MARCH 2021.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SOA MARCH 2021.exeSOA MARCH 2021.exe

description pid process

Token: SeDebugPrivilege 996 SOA MARCH 2021.exe
Token: SeDebugPrivilege 1548 SOA MARCH 2021.exe

description	pid	process	target process
PID 996 set thread context of 1548	996	SOA MARCH 2021.exe	SOA MARCH 2021.exe

pid	process
936	schtasks.exe

pid	process
996	SOA MARCH 2021.exe
996	SOA MARCH 2021.exe
996	SOA MARCH 2021.exe
996	SOA MARCH 2021.exe
1548	SOA MARCH 2021.exe
1548	SOA MARCH 2021.exe

description	pid	process
Token: SeDebugPrivilege	996	SOA MARCH 2021.exe
Token: SeDebugPrivilege	1548	SOA MARCH 2021.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

SOA MARCH 2021.exe

description	pid	process	target process
PID 996 wrote to memory of 936	996	SOA MARCH 2021.exe	schtasks.exe
PID 996 wrote to memory of 936	996	SOA MARCH 2021.exe	schtasks.exe
PID 996 wrote to memory of 936	996	SOA MARCH 2021.exe	schtasks.exe
PID 996 wrote to memory of 1548	996	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 996 wrote to memory of 1548	996	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 996 wrote to memory of 1548	996	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 996 wrote to memory of 1548	996	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 996 wrote to memory of 1548	996	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 996 wrote to memory of 1548	996	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 996 wrote to memory of 1548	996	SOA MARCH 2021.exe	SOA MARCH 2021.exe
PID 996 wrote to memory of 1548	996	SOA MARCH 2021.exe	SOA MARCH 2021.exe

C:\Users\Admin\AppData\Local\Temp\SOA MARCH 2021.exe
"C:\Users\Admin\AppData\Local\Temp\SOA MARCH 2021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uWJTdif" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCBE.tmp"
2⤵
- Creates scheduled task(s)
PID:936

C:\Users\Admin\AppData\Local\Temp\SOA MARCH 2021.exe
"C:\Users\Admin\AppData\Local\Temp\SOA MARCH 2021.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\SOA MARCH 2021.exe.log
MD5
2004111a6d19b415cfdebc8238bd4f57

SHA1
413d4838d93a9136bbeea358a8ab519f47d003a6

SHA256
5ffdbafa2c3fd1dbe9aff106cc0178a16ee1d0af5ebab89f4753384eafd2ab69

SHA512
97bed46f3adace8cafe59c6616befe9c28444ac5276965478a382f2a38f3da8a849406a38dc683003f03a663c7b9dd03e4e52b9605455a9accae7177f49e1d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCBE.tmp
MD5
ee49a4b6b687b38d13a201a597e89e3d

SHA1
5146797777d38bcd86a0771f0e7f8bdbc1798b03

SHA256
0223ac9e17081ecfe2d141abb9c42bea15a9f121c8a42ed404eb2c9f8de5bafd

SHA512
a0efa97362ba0e02aea9d335781f251e077c896d7299e9230d9214477af885e03312b6468a998b0494f73ea865ee57d4c178c0b8875d3dd5c49ee5479ae53b1f

Download Submit
memory/936-116-0x0000000000000000-mapping.dmp

Download
memory/996-114-0x0000000001830000-0x0000000001831000-memory.dmp

Filesize
4KB

Download
memory/996-115-0x000000007F0E0000-0x000000007F0E1000-memory.dmp

Filesize
4KB

Download
memory/1548-119-0x00000000004374CE-mapping.dmp

Download
memory/1548-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1548-121-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/1548-122-0x0000000002991000-0x0000000002992000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads