agenttesla | 5a8ea261a8f88443529553058026027054b62c7dc2969632de08212db8293e27

General

Target

Project Enquiry - KHI To LSG.exe
Size

853KB
MD5

c895410694b7aaed3c3495536c240a93
SHA1

3abe57e1d7073caf1711dbc4bd82df7379f47211
SHA256

5a8ea261a8f88443529553058026027054b62c7dc2969632de08212db8293e27
SHA512

9fb79b5301ef47f5389cc5a08de07fd26f383d77d3d1578f3de7dfaebdd19a586360c006c9cdbd86efb60a38c7e0fc39548cd39a8e96cde6110a76ec53f5a9cb

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1855581212:AAGSsAgiKOAKCEx8_hulz-BQit55_qDVNsM/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1852-69-0x000000000043774E-mapping.dmp	family_agenttesla
behavioral1/memory/1852-68-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1852-70-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Project Enquiry - KHI To LSG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NewApp\\NewApp.exe"	Project Enquiry - KHI To LSG.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Project Enquiry - KHI To LSG.exe

description pid process target process

PID 1840 set thread context of 1852 1840 Project Enquiry - KHI To LSG.exe Project Enquiry - KHI To LSG.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

788 schtasks.exe

description	pid	process	target process
PID 1840 set thread context of 1852	1840	Project Enquiry - KHI To LSG.exe	Project Enquiry - KHI To LSG.exe

pid	process
788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Project Enquiry - KHI To LSG.exeProject Enquiry - KHI To LSG.exe

pid	process
1840	Project Enquiry - KHI To LSG.exe
1840	Project Enquiry - KHI To LSG.exe
1852	Project Enquiry - KHI To LSG.exe
1852	Project Enquiry - KHI To LSG.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Project Enquiry - KHI To LSG.exeProject Enquiry - KHI To LSG.exe

description pid process

Token: SeDebugPrivilege 1840 Project Enquiry - KHI To LSG.exe
Token: SeDebugPrivilege 1852 Project Enquiry - KHI To LSG.exe

description	pid	process
Token: SeDebugPrivilege	1840	Project Enquiry - KHI To LSG.exe
Token: SeDebugPrivilege	1852	Project Enquiry - KHI To LSG.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Project Enquiry - KHI To LSG.exe

C:\Users\Admin\AppData\Local\Temp\Project Enquiry - KHI To LSG.exe
"C:\Users\Admin\AppData\Local\Temp\Project Enquiry - KHI To LSG.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gzrJtoA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp52E1.tmp"
2⤵
- Creates scheduled task(s)
PID:788

C:\Users\Admin\AppData\Local\Temp\Project Enquiry - KHI To LSG.exe
"C:\Users\Admin\AppData\Local\Temp\Project Enquiry - KHI To LSG.exe"
2⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\Project Enquiry - KHI To LSG.exe
"C:\Users\Admin\AppData\Local\Temp\Project Enquiry - KHI To LSG.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp52E1.tmp
MD5
8e33069f8d392b6ab62477377a9a6097

SHA1
68a27020cc6203e3a4fa92a8197f0bf2729f09c2

SHA256
718bf2226dc2755c3730643cf52bcf2b5d16863126bb1081500187478d368673

SHA512
39a287375fe594b00b1dc50b615516f7c91061b5a15c0244eb71d4814234b769cacf4b00a2c6001e89e0b258678de02a53f4f3a82e23687a9cd12fde5096239c

Download Submit
memory/788-66-0x0000000000000000-mapping.dmp

Download
memory/1840-60-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1840-62-0x00000000005F0000-0x00000000005F4000-memory.dmp

Filesize
16KB

Download
memory/1840-63-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/1840-64-0x0000000005270000-0x000000000532D000-memory.dmp

Filesize
756KB

Download
memory/1840-65-0x0000000005460000-0x00000000054EA000-memory.dmp

Filesize
552KB

Download
memory/1852-69-0x000000000043774E-mapping.dmp

Download
memory/1852-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1852-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1852-72-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 1840 wrote to memory of 788	1840	Project Enquiry - KHI To LSG.exe	schtasks.exe
PID 1840 wrote to memory of 788	1840	Project Enquiry - KHI To LSG.exe	schtasks.exe
PID 1840 wrote to memory of 788	1840	Project Enquiry - KHI To LSG.exe	schtasks.exe
PID 1840 wrote to memory of 788	1840	Project Enquiry - KHI To LSG.exe	schtasks.exe
PID 1840 wrote to memory of 1016	1840	Project Enquiry - KHI To LSG.exe	Project Enquiry - KHI To LSG.exe
PID 1840 wrote to memory of 1016	1840	Project Enquiry - KHI To LSG.exe	Project Enquiry - KHI To LSG.exe
PID 1840 wrote to memory of 1016	1840	Project Enquiry - KHI To LSG.exe	Project Enquiry - KHI To LSG.exe
PID 1840 wrote to memory of 1016	1840	Project Enquiry - KHI To LSG.exe	Project Enquiry - KHI To LSG.exe
PID 1840 wrote to memory of 1852	1840	Project Enquiry - KHI To LSG.exe	Project Enquiry - KHI To LSG.exe
PID 1840 wrote to memory of 1852	1840	Project Enquiry - KHI To LSG.exe	Project Enquiry - KHI To LSG.exe
PID 1840 wrote to memory of 1852	1840	Project Enquiry - KHI To LSG.exe	Project Enquiry - KHI To LSG.exe
PID 1840 wrote to memory of 1852	1840	Project Enquiry - KHI To LSG.exe	Project Enquiry - KHI To LSG.exe
PID 1840 wrote to memory of 1852	1840	Project Enquiry - KHI To LSG.exe	Project Enquiry - KHI To LSG.exe
PID 1840 wrote to memory of 1852	1840	Project Enquiry - KHI To LSG.exe	Project Enquiry - KHI To LSG.exe
PID 1840 wrote to memory of 1852	1840	Project Enquiry - KHI To LSG.exe	Project Enquiry - KHI To LSG.exe
PID 1840 wrote to memory of 1852	1840	Project Enquiry - KHI To LSG.exe	Project Enquiry - KHI To LSG.exe
PID 1840 wrote to memory of 1852	1840	Project Enquiry - KHI To LSG.exe	Project Enquiry - KHI To LSG.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads