agenttesla | aa1726ec4e7bc607566c3c181498b479506c40449f69319a7bf0981f4e052bfe

General

Target

Scan docs.exe
Size

926KB
MD5

94159f5873c12cd7ee9b2ab1a0123afc
SHA1

16bb42d7b6ec5536c06c4d7e424633940f61263d
SHA256

aa1726ec4e7bc607566c3c181498b479506c40449f69319a7bf0981f4e052bfe
SHA512

e815a803e83c7b1e8584a043286503842c8c79b4be7193b92950a0df637be661b53de4bf473278b5c038097af9fd2213908a5b90527d232205d1e6eb226d11b5

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.atlmexco.com
Port:
587
Username:
maksat@atlmexco.com
Password:
Ma1301

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1692-68-0x00000000004375DE-mapping.dmp	family_agenttesla
behavioral1/memory/1692-67-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1692-69-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

Scan docs.exe

description pid process target process

PID 332 set thread context of 1692 332 Scan docs.exe Scan docs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1528 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Scan docs.exeScan docs.exe

pid process

332 Scan docs.exe
332 Scan docs.exe
332 Scan docs.exe
1692 Scan docs.exe
1692 Scan docs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Scan docs.exeScan docs.exe

description pid process

Token: SeDebugPrivilege 332 Scan docs.exe
Token: SeDebugPrivilege 1692 Scan docs.exe

description	pid	process	target process
PID 332 set thread context of 1692	332	Scan docs.exe	Scan docs.exe

pid	process
1528	schtasks.exe

pid	process
332	Scan docs.exe
332	Scan docs.exe
332	Scan docs.exe
1692	Scan docs.exe
1692	Scan docs.exe

description	pid	process
Token: SeDebugPrivilege	332	Scan docs.exe
Token: SeDebugPrivilege	1692	Scan docs.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Scan docs.exe

description	pid	process	target process
PID 332 wrote to memory of 1528	332	Scan docs.exe	schtasks.exe
PID 332 wrote to memory of 1528	332	Scan docs.exe	schtasks.exe
PID 332 wrote to memory of 1528	332	Scan docs.exe	schtasks.exe
PID 332 wrote to memory of 1528	332	Scan docs.exe	schtasks.exe
PID 332 wrote to memory of 1692	332	Scan docs.exe	Scan docs.exe
PID 332 wrote to memory of 1692	332	Scan docs.exe	Scan docs.exe
PID 332 wrote to memory of 1692	332	Scan docs.exe	Scan docs.exe
PID 332 wrote to memory of 1692	332	Scan docs.exe	Scan docs.exe
PID 332 wrote to memory of 1692	332	Scan docs.exe	Scan docs.exe
PID 332 wrote to memory of 1692	332	Scan docs.exe	Scan docs.exe
PID 332 wrote to memory of 1692	332	Scan docs.exe	Scan docs.exe
PID 332 wrote to memory of 1692	332	Scan docs.exe	Scan docs.exe
PID 332 wrote to memory of 1692	332	Scan docs.exe	Scan docs.exe

C:\Users\Admin\AppData\Local\Temp\Scan docs.exe
"C:\Users\Admin\AppData\Local\Temp\Scan docs.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DfvHLzAuHD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp422E.tmp"
2⤵
- Creates scheduled task(s)
PID:1528

C:\Users\Admin\AppData\Local\Temp\Scan docs.exe
"C:\Users\Admin\AppData\Local\Temp\Scan docs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp422E.tmp
MD5
0f125ffb1cd0397577d64d1815291375

SHA1
f2069b36334564a6688ccdd1ea48ca64be7b91a1

SHA256
8174ed780b4fc77ab4a7699b53361ff54980eda40edab24cd3b37076e8608178

SHA512
4c548121bafc57241bc9cdb30c373ebbf1fd39df5307921142727f4c65b2a355805bf0b500aa471fd067a41bc58543d7c1a26782cda68371c054a608ac957b29

Download Submit
memory/332-59-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/332-61-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/332-62-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/332-63-0x0000000007D40000-0x0000000007DD2000-memory.dmp

Filesize
584KB

Download
memory/332-64-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1528-65-0x0000000000000000-mapping.dmp

Download
memory/1692-68-0x00000000004375DE-mapping.dmp

Download
memory/1692-67-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-71-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads