agenttesla | f3299da1eb5ad076c503fa440ba15e4bb418fa17b5cf0315620eaecf3b618de5

General

Target

Ei76uYS4ahe752B.exe
Size

670KB
MD5

37bdeb7dd32f6bf7ef310ca575f4236d
SHA1

fbd39cda4384a9bef901bb74afe2e42240fde4b2
SHA256

f3299da1eb5ad076c503fa440ba15e4bb418fa17b5cf0315620eaecf3b618de5
SHA512

b42edd28261294da3d6ac4c0a53ce5a1fbc6fe4060790c84e554139377a6c278fda6f045c0f086c667d72755c0ee7a7f97884d75e37930e62cafb4b00db4ca4d

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.caltra.pt
Port:
587
Username:
ricardo.godinho@caltra.pt
Password:
caltra1589

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1352-69-0x000000000043763E-mapping.dmp	family_agenttesla
behavioral1/memory/1352-68-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1352-70-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

Ei76uYS4ahe752B.exe

description pid process target process

PID 1888 set thread context of 1352 1888 Ei76uYS4ahe752B.exe Ei76uYS4ahe752B.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1076 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Ei76uYS4ahe752B.exe

pid process

1352 Ei76uYS4ahe752B.exe
1352 Ei76uYS4ahe752B.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Ei76uYS4ahe752B.exe

description pid process

Token: SeDebugPrivilege 1352 Ei76uYS4ahe752B.exe

description	pid	process	target process
PID 1888 set thread context of 1352	1888	Ei76uYS4ahe752B.exe	Ei76uYS4ahe752B.exe

pid	process
1076	schtasks.exe

pid	process
1352	Ei76uYS4ahe752B.exe
1352	Ei76uYS4ahe752B.exe

description	pid	process
Token: SeDebugPrivilege	1352	Ei76uYS4ahe752B.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Ei76uYS4ahe752B.exe

description	pid	process	target process
PID 1888 wrote to memory of 1076	1888	Ei76uYS4ahe752B.exe	schtasks.exe
PID 1888 wrote to memory of 1076	1888	Ei76uYS4ahe752B.exe	schtasks.exe
PID 1888 wrote to memory of 1076	1888	Ei76uYS4ahe752B.exe	schtasks.exe
PID 1888 wrote to memory of 1076	1888	Ei76uYS4ahe752B.exe	schtasks.exe
PID 1888 wrote to memory of 1352	1888	Ei76uYS4ahe752B.exe	Ei76uYS4ahe752B.exe
PID 1888 wrote to memory of 1352	1888	Ei76uYS4ahe752B.exe	Ei76uYS4ahe752B.exe
PID 1888 wrote to memory of 1352	1888	Ei76uYS4ahe752B.exe	Ei76uYS4ahe752B.exe
PID 1888 wrote to memory of 1352	1888	Ei76uYS4ahe752B.exe	Ei76uYS4ahe752B.exe
PID 1888 wrote to memory of 1352	1888	Ei76uYS4ahe752B.exe	Ei76uYS4ahe752B.exe
PID 1888 wrote to memory of 1352	1888	Ei76uYS4ahe752B.exe	Ei76uYS4ahe752B.exe
PID 1888 wrote to memory of 1352	1888	Ei76uYS4ahe752B.exe	Ei76uYS4ahe752B.exe
PID 1888 wrote to memory of 1352	1888	Ei76uYS4ahe752B.exe	Ei76uYS4ahe752B.exe
PID 1888 wrote to memory of 1352	1888	Ei76uYS4ahe752B.exe	Ei76uYS4ahe752B.exe

C:\Users\Admin\AppData\Local\Temp\Ei76uYS4ahe752B.exe
"C:\Users\Admin\AppData\Local\Temp\Ei76uYS4ahe752B.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZYFvmNSaXwQGa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA40C.tmp"
2⤵
- Creates scheduled task(s)
PID:1076

C:\Users\Admin\AppData\Local\Temp\Ei76uYS4ahe752B.exe
"C:\Users\Admin\AppData\Local\Temp\Ei76uYS4ahe752B.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA40C.tmp
MD5
9725e42981515f26bf464636219de246

SHA1
a1104237b90f00d382546ecc24bc15a5b32a1cdf

SHA256
ce8476934ff9c5ed01751fae792eda9b6934b42e369585f8309a5fc4efbfd6c9

SHA512
ec789ea3ad6cad7b6139521dccdc6fd7a7eea40446b47595d1b4d23ef9d7d1330543ef687fa61354672801dbf1a5298056c6dad72aabe516202fa16040e29691

Download Submit
memory/1076-66-0x0000000000000000-mapping.dmp

Download
memory/1352-69-0x000000000043763E-mapping.dmp

Download
memory/1352-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1352-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1352-72-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/1888-60-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1888-62-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/1888-63-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/1888-64-0x00000000042E0000-0x0000000004356000-memory.dmp

Filesize
472KB

Download
memory/1888-65-0x0000000004810000-0x000000000484E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads