agenttesla | 3e144aa347f286c75f9ffe827f6239652065f468794bf567e47d87e29c3ea53b

General

Target

INVOICE34_56730015.exe
Size

801KB
MD5

ad623a158d7f37f547dee2ba01646c0d
SHA1

3d55829677ffb85e1be6feded9bec255163fe250
SHA256

3e144aa347f286c75f9ffe827f6239652065f468794bf567e47d87e29c3ea53b
SHA512

756d907400810a392d43a7a87a44a7331383463f6a0b6b4608f83542736436d9665b5e3d6e2fffebd532aa43680d339baa344d60d7274dd26ef2f3f64f4dba9c

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.dadabhoy.edu.pk
Port:
587
Username:
ghulam.sarwar@dadabhoy.edu.pk
Password:
Dadabhoy.456

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1384-66-0x000000000043754E-mapping.dmp	family_agenttesla
behavioral1/memory/1384-65-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

INVOICE34_56730015.exe

description pid process target process

PID 1088 set thread context of 1384 1088 INVOICE34_56730015.exe INVOICE34_56730015.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

976 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

INVOICE34_56730015.exeINVOICE34_56730015.exe

pid process

1088 INVOICE34_56730015.exe
1384 INVOICE34_56730015.exe
1384 INVOICE34_56730015.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

INVOICE34_56730015.exeINVOICE34_56730015.exe

description pid process

Token: SeDebugPrivilege 1088 INVOICE34_56730015.exe
Token: SeDebugPrivilege 1384 INVOICE34_56730015.exe

description	pid	process	target process
PID 1088 set thread context of 1384	1088	INVOICE34_56730015.exe	INVOICE34_56730015.exe

pid	process
976	schtasks.exe

pid	process
1088	INVOICE34_56730015.exe
1384	INVOICE34_56730015.exe
1384	INVOICE34_56730015.exe

description	pid	process
Token: SeDebugPrivilege	1088	INVOICE34_56730015.exe
Token: SeDebugPrivilege	1384	INVOICE34_56730015.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

INVOICE34_56730015.exeINVOICE34_56730015.exe

description	pid	process	target process
PID 1088 wrote to memory of 976	1088	INVOICE34_56730015.exe	schtasks.exe
PID 1088 wrote to memory of 976	1088	INVOICE34_56730015.exe	schtasks.exe
PID 1088 wrote to memory of 976	1088	INVOICE34_56730015.exe	schtasks.exe
PID 1088 wrote to memory of 976	1088	INVOICE34_56730015.exe	schtasks.exe
PID 1088 wrote to memory of 1384	1088	INVOICE34_56730015.exe	INVOICE34_56730015.exe
PID 1088 wrote to memory of 1384	1088	INVOICE34_56730015.exe	INVOICE34_56730015.exe
PID 1088 wrote to memory of 1384	1088	INVOICE34_56730015.exe	INVOICE34_56730015.exe
PID 1088 wrote to memory of 1384	1088	INVOICE34_56730015.exe	INVOICE34_56730015.exe
PID 1088 wrote to memory of 1384	1088	INVOICE34_56730015.exe	INVOICE34_56730015.exe
PID 1088 wrote to memory of 1384	1088	INVOICE34_56730015.exe	INVOICE34_56730015.exe
PID 1088 wrote to memory of 1384	1088	INVOICE34_56730015.exe	INVOICE34_56730015.exe
PID 1088 wrote to memory of 1384	1088	INVOICE34_56730015.exe	INVOICE34_56730015.exe
PID 1088 wrote to memory of 1384	1088	INVOICE34_56730015.exe	INVOICE34_56730015.exe
PID 1384 wrote to memory of 1736	1384	INVOICE34_56730015.exe	dw20.exe
PID 1384 wrote to memory of 1736	1384	INVOICE34_56730015.exe	dw20.exe
PID 1384 wrote to memory of 1736	1384	INVOICE34_56730015.exe	dw20.exe
PID 1384 wrote to memory of 1736	1384	INVOICE34_56730015.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE34_56730015.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE34_56730015.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aYuZDqTXEzFrc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D9C.tmp"
2⤵
- Creates scheduled task(s)
PID:976

C:\Users\Admin\AppData\Local\Temp\INVOICE34_56730015.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE34_56730015.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 520
3⤵
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3D9C.tmp
MD5
1df55c94d58a52009bce6d68af7d3805

SHA1
b413d5f1495347ac924a462daed0e7bdc870ecd4

SHA256
2e1d5ab0a53635e48352bd9d8b11e5443b34560f6d0efcdf74a141b814328ec3

SHA512
7f0c4dca06b7de53d3f49ea1866dc1a8d7a1079667f13c042fc2a6db8023f6d609992b666c87494b452c74ae14b720fd36590e19861b59d865ca74a343e828f2

Download Submit
memory/976-63-0x0000000000000000-mapping.dmp

Download
memory/1088-60-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1088-61-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1088-62-0x00000000001E1000-0x00000000001E2000-memory.dmp

Filesize
4KB

Download
memory/1384-66-0x000000000043754E-mapping.dmp

Download
memory/1384-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1384-68-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/1736-69-0x0000000000000000-mapping.dmp

Download
memory/1736-71-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads