agenttesla | 804879b5f78a4dfc5ecda6c01e3ff45f487785d73cb70dfce4f46e35f639db3f

General

Target

Swift Copy.pdf.exe
Size

889KB
MD5

dd2eb46743bf230998439673e3deba99
SHA1

4871d34e0db77e32f627e74b92e9a9fbdef7a21a
SHA256

ab417e35533138c082445ac1997401837c2be3af4527860f3b5c30dcabd325cb
SHA512

9ddf626833dc5551ad869214590c23b11e8ca16bc37959608c960f283bfef027b451a8f7fabff9d0678d24cabf2de12a509c8a75e524643cf29faf2a1d275b33

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.saudimedlabexpo.com
Port:
587
Username:
info@saudimedlabexpo.com
Password:
]dTqP-]^T]Pt

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2688-138-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2688-139-0x00000000004375BE-mapping.dmp	family_agenttesla
behavioral2/memory/2688-153-0x0000000005290000-0x000000000578E000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

Swift Copy.pdf.exe

description pid process target process

PID 3400 set thread context of 2688 3400 Swift Copy.pdf.exe Swift Copy.pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1144 schtasks.exe

description	pid	process	target process
PID 3400 set thread context of 2688	3400	Swift Copy.pdf.exe	Swift Copy.pdf.exe

pid	process
1144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Swift Copy.pdf.exepowershell.exepowershell.exeSwift Copy.pdf.exepowershell.exe

pid	process
3400	Swift Copy.pdf.exe
3400	Swift Copy.pdf.exe
3400	Swift Copy.pdf.exe
3408	powershell.exe
3104	powershell.exe
2688	Swift Copy.pdf.exe
2688	Swift Copy.pdf.exe
2060	powershell.exe
3408	powershell.exe
3104	powershell.exe
2060	powershell.exe
3408	powershell.exe
2060	powershell.exe
3104	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Swift Copy.pdf.exepowershell.exepowershell.exeSwift Copy.pdf.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3400	Swift Copy.pdf.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	2688	Swift Copy.pdf.exe
Token: SeDebugPrivilege	2060	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Swift Copy.pdf.exe

description	pid	process	target process
PID 3400 wrote to memory of 3408	3400	Swift Copy.pdf.exe	powershell.exe
PID 3400 wrote to memory of 3408	3400	Swift Copy.pdf.exe	powershell.exe
PID 3400 wrote to memory of 3408	3400	Swift Copy.pdf.exe	powershell.exe
PID 3400 wrote to memory of 3104	3400	Swift Copy.pdf.exe	powershell.exe
PID 3400 wrote to memory of 3104	3400	Swift Copy.pdf.exe	powershell.exe
PID 3400 wrote to memory of 3104	3400	Swift Copy.pdf.exe	powershell.exe
PID 3400 wrote to memory of 1144	3400	Swift Copy.pdf.exe	schtasks.exe
PID 3400 wrote to memory of 1144	3400	Swift Copy.pdf.exe	schtasks.exe
PID 3400 wrote to memory of 1144	3400	Swift Copy.pdf.exe	schtasks.exe
PID 3400 wrote to memory of 2060	3400	Swift Copy.pdf.exe	powershell.exe
PID 3400 wrote to memory of 2060	3400	Swift Copy.pdf.exe	powershell.exe
PID 3400 wrote to memory of 2060	3400	Swift Copy.pdf.exe	powershell.exe
PID 3400 wrote to memory of 1468	3400	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 3400 wrote to memory of 1468	3400	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 3400 wrote to memory of 1468	3400	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 3400 wrote to memory of 2688	3400	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 3400 wrote to memory of 2688	3400	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 3400 wrote to memory of 2688	3400	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 3400 wrote to memory of 2688	3400	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 3400 wrote to memory of 2688	3400	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 3400 wrote to memory of 2688	3400	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 3400 wrote to memory of 2688	3400	Swift Copy.pdf.exe	Swift Copy.pdf.exe
PID 3400 wrote to memory of 2688	3400	Swift Copy.pdf.exe	Swift Copy.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DXGWcUXNvU.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DXGWcUXNvU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD9F6.tmp"
2⤵
- Creates scheduled task(s)
PID:1144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DXGWcUXNvU.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe"
2⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy.pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
29e1ab61ea9128c5f0a1ffa0111c2013

SHA1
37eb6f4a7bd063d386d429414507edf9f6aeeb62

SHA256
65bbaf09dab810d780c1a9c595611060987bc5ed6af12d6aac83dc4b9ef47a84

SHA512
56f3c6f3e7c02da08fd705d0d9aec3be0184e18241c27eeced5dd473e09e0a00cb8bc4cd2ebdfb2b623f9ce49309abae8db933b8265ee0b5934bb7cdd5dc6411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
de8d627b69bb0060e4f4434bd16be4e0

SHA1
33705f517cc5a400c50093650668c62bc3d0af7b

SHA256
9b1c3f9a629e48f8b5f93e729cf58defc6e28ae259a55418bffa9f08fbbae87c

SHA512
78b17acc2ef6345c8d0433c1feb5f52d2a4f10ebb8c483064bbd318e987ba5536a4d634fc299ca49df288ccacbe32f9d6e4a09a0675c3d0639e6f7a7dc83609f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD9F6.tmp
MD5
009405d3c07c8a71e09971b9a2920a6a

SHA1
a96ed56726083ca804df6ec349cd363657a8edc7

SHA256
8d088c32888740a9c04c57177667a0c08a8c787194847b25594ae5ead6391507

SHA512
3d7f5ffa7949dbb2d960f92eceb06f392369f4f56ad96e3dba7ae94b4e13bf32c853047d51867a16ec82d0db48d9f05bc806dc6856bea6cd8bf63cf5feca5126

Download Submit
memory/1144-127-0x0000000000000000-mapping.dmp

Download
memory/2060-170-0x0000000008200000-0x0000000008201000-memory.dmp

Filesize
4KB

Download
memory/2060-196-0x0000000004683000-0x0000000004684000-memory.dmp

Filesize
4KB

Download
memory/2060-193-0x000000007E590000-0x000000007E591000-memory.dmp

Filesize
4KB

Download
memory/2060-137-0x0000000000000000-mapping.dmp

Download
memory/2060-158-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/2060-157-0x0000000004682000-0x0000000004683000-memory.dmp

Filesize
4KB

Download
memory/2688-139-0x00000000004375BE-mapping.dmp

Download
memory/2688-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2688-153-0x0000000005290000-0x000000000578E000-memory.dmp

Filesize
5.0MB

Download
memory/3104-147-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/3104-149-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/3104-167-0x0000000007C80000-0x0000000007C81000-memory.dmp

Filesize
4KB

Download
memory/3104-192-0x000000007F880000-0x000000007F881000-memory.dmp

Filesize
4KB

Download
memory/3104-148-0x0000000003212000-0x0000000003213000-memory.dmp

Filesize
4KB

Download
memory/3104-126-0x0000000000000000-mapping.dmp

Download
memory/3104-197-0x0000000003213000-0x0000000003214000-memory.dmp

Filesize
4KB

Download
memory/3400-122-0x0000000004D20000-0x0000000004D24000-memory.dmp

Filesize
16KB

Download
memory/3400-120-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3400-121-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/3400-123-0x0000000005BE0000-0x0000000005CA8000-memory.dmp

Filesize
800KB

Download
memory/3400-119-0x0000000004DE0000-0x00000000052DE000-memory.dmp

Filesize
5.0MB

Download
memory/3400-118-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/3400-117-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/3400-124-0x0000000008170000-0x0000000008200000-memory.dmp

Filesize
576KB

Download
memory/3400-116-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/3400-114-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3408-125-0x0000000000000000-mapping.dmp

Download
memory/3408-173-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/3408-161-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/3408-156-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/3408-194-0x000000007F4E0000-0x000000007F4E1000-memory.dmp

Filesize
4KB

Download
memory/3408-195-0x00000000068A3000-0x00000000068A4000-memory.dmp

Filesize
4KB

Download
memory/3408-154-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/3408-143-0x00000000068A2000-0x00000000068A3000-memory.dmp

Filesize
4KB

Download
memory/3408-142-0x00000000068A0000-0x00000000068A1000-memory.dmp

Filesize
4KB

Download
memory/3408-131-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/3408-130-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads