agenttesla | d5c6e817e81a13cd55bf34551de9665821e3402bd4aa8c25ef302044502dc509

General

Target

Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe
Size

940KB
MD5

4239f6a01b20697056527dc5c5b33794
SHA1

8c535c57e02423dd83f38225f0a2fbf517c558ea
SHA256

d5c6e817e81a13cd55bf34551de9665821e3402bd4aa8c25ef302044502dc509
SHA512

2792430bf7160e0067861dfc0e246048e035113af39f426ef4dd59b825bc610fb1cdcd83e70ae9d466d0b4cf65eade4c5eccb8bc8f7cac5c67417f7417c64aca

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.corroshield.co.id
Port:
587
Username:
procurement@corroshield.co.id
Password:
kramatjati1945

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/824-66-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/824-67-0x000000000043764E-mapping.dmp	family_agenttesla
behavioral1/memory/824-68-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe

description	pid	process	target process
PID 484 set thread context of 824	484	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exepowershell.exe

pid	process
824	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe
824	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe
332	powershell.exe
332	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe

pid process

824 Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	824	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe
Token: SeDebugPrivilege	332	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe

description	pid	process	target process
PID 484 wrote to memory of 332	484	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe	powershell.exe
PID 484 wrote to memory of 332	484	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe	powershell.exe
PID 484 wrote to memory of 332	484	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe	powershell.exe
PID 484 wrote to memory of 332	484	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe	powershell.exe
PID 484 wrote to memory of 824	484	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe
PID 484 wrote to memory of 824	484	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe
PID 484 wrote to memory of 824	484	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe
PID 484 wrote to memory of 824	484	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe
PID 484 wrote to memory of 824	484	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe
PID 484 wrote to memory of 824	484	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe
PID 484 wrote to memory of 824	484	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe
PID 484 wrote to memory of 824	484	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe
PID 484 wrote to memory of 824	484	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe	Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe

C:\Users\Admin\AppData\Local\Temp\Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe
"C:\Users\Admin\AppData\Local\Temp\Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Users\Admin\AppData\Local\Temp\Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe
"C:\Users\Admin\AppData\Local\Temp\Frozen Seafood Specification BT vannamei shrimps mackerel supply data RFQ 3FCL 0086211052021.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:824

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/332-85-0x00000000060B0000-0x00000000060B1000-memory.dmp

Filesize
4KB

Download
memory/332-86-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/332-73-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/332-110-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/332-74-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/332-65-0x0000000000000000-mapping.dmp

Download
memory/332-109-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/332-76-0x0000000004812000-0x0000000004813000-memory.dmp

Filesize
4KB

Download
memory/332-108-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/332-70-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/332-94-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/332-72-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/332-93-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/332-80-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/332-77-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/332-75-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/484-64-0x00000000048A0000-0x000000000493B000-memory.dmp

Filesize
620KB

Download
memory/484-59-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/484-61-0x0000000000590000-0x0000000000594000-memory.dmp

Filesize
16KB

Download
memory/484-62-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/484-63-0x0000000005360000-0x0000000005435000-memory.dmp

Filesize
852KB

Download
memory/824-67-0x000000000043764E-mapping.dmp

Download
memory/824-71-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/824-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/824-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads