agenttesla | 804879b5f78a4dfc5ecda6c01e3ff45f487785d73cb70dfce4f46e35f639db3f

General

Target

Swift Copy.pdf.exe
Size

889KB
MD5

dd2eb46743bf230998439673e3deba99
SHA1

4871d34e0db77e32f627e74b92e9a9fbdef7a21a
SHA256

ab417e35533138c082445ac1997401837c2be3af4527860f3b5c30dcabd325cb
SHA512

9ddf626833dc5551ad869214590c23b11e8ca16bc37959608c960f283bfef027b451a8f7fabff9d0678d24cabf2de12a509c8a75e524643cf29faf2a1d275b33

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.saudimedlabexpo.com
Port:
587
Username:
info@saudimedlabexpo.com
Password:
]dTqP-]^T]Pt

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2880-138-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2880-139-0x00000000004375BE-mapping.dmp	family_agenttesla
behavioral2/memory/2880-152-0x0000000005230000-0x000000000572E000-memory.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Swift Copy.pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\pGKuRU = "C:\\Users\\Admin\\AppData\\Roaming\\pGKuRU\\pGKuRU.exe"	Swift Copy.pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Swift Copy.pdf.exe

description pid process target process

PID 772 set thread context of 2880 772 Swift Copy.pdf.exe Swift Copy.pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1564 schtasks.exe

description	pid	process	target process
PID 772 set thread context of 2880	772	Swift Copy.pdf.exe	Swift Copy.pdf.exe

pid	process
1564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Swift Copy.pdf.exeSwift Copy.pdf.exepowershell.exepowershell.exepowershell.exe

pid	process
772	Swift Copy.pdf.exe
772	Swift Copy.pdf.exe
772	Swift Copy.pdf.exe
2880	Swift Copy.pdf.exe
2880	Swift Copy.pdf.exe
3116	powershell.exe
400	powershell.exe
1340	powershell.exe
400	powershell.exe
1340	powershell.exe
3116	powershell.exe
1340	powershell.exe
3116	powershell.exe
400	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Swift Copy.pdf.exeSwift Copy.pdf.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	772	Swift Copy.pdf.exe
Token: SeDebugPrivilege	2880	Swift Copy.pdf.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Swift Copy.pdf.exe

description	pid	process	target process
PID 772 wrote to memory of 1340	772	Swift Copy.pdf.exe	powershell.exe
PID 772 wrote to memory of 1340	772	Swift Copy.pdf.exe	powershell.exe
PID 772 wrote to memory of 1340	772	Swift Copy.pdf.exe	powershell.exe
PID 772 wrote to memory of 3116	772	Swift Copy.pdf.exe	powershell.exe
PID 772 wrote to memory of 3116	772	Swift Copy.pdf.exe	powershell.exe
PID 772 wrote to memory of 3116	772	Swift Copy.pdf.exe	powershell.exe
PID 772 wrote to memory of 1564	772	Swift Copy.pdf.exe	schtasks.exe
PID 772 wrote to memory of 1564	772	Swift Copy.pdf.exe	schtasks.exe
PID 772 wrote to memory of 1564	772	Swift Copy.pdf.exe	schtasks.exe
PID 772 wrote to memory of 400	772	Swift Copy.pdf.exe	powershell.exe
PID 772 wrote to memory of 400	772	Swift Copy.pdf.exe	powershell.exe
PID 772 wrote to memory of 400	772	Swift Copy.pdf.exe	powershell.exe
PID 772 wrote to memory of 2764	772	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 772 wrote to memory of 2764	772	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 772 wrote to memory of 2764	772	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 772 wrote to memory of 2880	772	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 772 wrote to memory of 2880	772	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 772 wrote to memory of 2880	772	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 772 wrote to memory of 2880	772	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 772 wrote to memory of 2880	772	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 772 wrote to memory of 2880	772	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 772 wrote to memory of 2880	772	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 772 wrote to memory of 2880	772	Swift Copy.pdf.exe	Swift Copy.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DXGWcUXNvU.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DXGWcUXNvU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB93F.tmp"
2⤵
- Creates scheduled task(s)
PID:1564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DXGWcUXNvU.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe"
2⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9566896644db514a120b5affe2b03bd2

SHA1
2f06dbdb0172344735028dd55d97a6bcce6482b3

SHA256
f8c14530108796f79e89efbd38695450dde222290768fc1c28a299030a22b944

SHA512
fc505b30643550196f3b1da9fde1f5f713c17599783b0a7115566468bb3056dcd361bd33cd32010128e97943e36cf4ac440014bf9db96b38cc56992c1cbfeeeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9566896644db514a120b5affe2b03bd2

SHA1
2f06dbdb0172344735028dd55d97a6bcce6482b3

SHA256
f8c14530108796f79e89efbd38695450dde222290768fc1c28a299030a22b944

SHA512
fc505b30643550196f3b1da9fde1f5f713c17599783b0a7115566468bb3056dcd361bd33cd32010128e97943e36cf4ac440014bf9db96b38cc56992c1cbfeeeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB93F.tmp
MD5
009405d3c07c8a71e09971b9a2920a6a

SHA1
a96ed56726083ca804df6ec349cd363657a8edc7

SHA256
8d088c32888740a9c04c57177667a0c08a8c787194847b25594ae5ead6391507

SHA512
3d7f5ffa7949dbb2d960f92eceb06f392369f4f56ad96e3dba7ae94b4e13bf32c853047d51867a16ec82d0db48d9f05bc806dc6856bea6cd8bf63cf5feca5126

Download Submit
memory/400-197-0x0000000006D33000-0x0000000006D34000-memory.dmp

Filesize
4KB

Download
memory/400-155-0x0000000006D32000-0x0000000006D33000-memory.dmp

Filesize
4KB

Download
memory/400-158-0x0000000007B90000-0x0000000007B91000-memory.dmp

Filesize
4KB

Download
memory/400-161-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/400-164-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/400-173-0x00000000085A0000-0x00000000085A1000-memory.dmp

Filesize
4KB

Download
memory/400-137-0x0000000000000000-mapping.dmp

Download
memory/400-153-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/400-193-0x000000007F990000-0x000000007F991000-memory.dmp

Filesize
4KB

Download
memory/772-123-0x00000000058E0000-0x00000000059A8000-memory.dmp

Filesize
800KB

Download
memory/772-116-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/772-117-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/772-118-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/772-124-0x0000000007E70000-0x0000000007F00000-memory.dmp

Filesize
576KB

Download
memory/772-119-0x0000000004AA0000-0x0000000004F9E000-memory.dmp

Filesize
5.0MB

Download
memory/772-122-0x0000000004CE0000-0x0000000004CE4000-memory.dmp

Filesize
16KB

Download
memory/772-114-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/772-121-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/772-120-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/1340-150-0x0000000006D22000-0x0000000006D23000-memory.dmp

Filesize
4KB

Download
memory/1340-194-0x0000000006D23000-0x0000000006D24000-memory.dmp

Filesize
4KB

Download
memory/1340-125-0x0000000000000000-mapping.dmp

Download
memory/1340-154-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/1340-130-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/1340-148-0x0000000006D20000-0x0000000006D21000-memory.dmp

Filesize
4KB

Download
memory/1340-133-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/1340-167-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/1340-170-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/1340-195-0x000000007FB90000-0x000000007FB91000-memory.dmp

Filesize
4KB

Download
memory/1564-135-0x0000000000000000-mapping.dmp

Download
memory/2880-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2880-152-0x0000000005230000-0x000000000572E000-memory.dmp

Filesize
5.0MB

Download
memory/2880-139-0x00000000004375BE-mapping.dmp

Download
memory/3116-192-0x000000007EB10000-0x000000007EB11000-memory.dmp

Filesize
4KB

Download
memory/3116-196-0x00000000010D3000-0x00000000010D4000-memory.dmp

Filesize
4KB

Download
memory/3116-149-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/3116-126-0x0000000000000000-mapping.dmp

Download
memory/3116-151-0x00000000010D2000-0x00000000010D3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads