agenttesla | 04bc957b4a8ec5780077baf2e8960cddfcef204cad9eebee56efbc647658da7e

General

Target

New PO 3112021 pdf.exe
Size

1.1MB
MD5

9b1e8cf1b62804c4fdf40c97d4680c5b
SHA1

7ab69368a60fc7c0ab2895435b78a68044c05456
SHA256

04bc957b4a8ec5780077baf2e8960cddfcef204cad9eebee56efbc647658da7e
SHA512

d3d4f448a301a61b3977f2984a2ed084b4996acd9f51662c3eaef859c2096b6defbc644321fd783bf50fc30c15ffeb72fc24c92283fcc9116122ecafc5b59d25

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.esquiresweaters.com
Port:
587
Username:
[email protected]
Password:
Esquire@#2078

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1328-127-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/1328-128-0x000000000043766E-mapping.dmp	family_agenttesla
behavioral2/memory/1328-134-0x0000000005810000-0x0000000005D0E000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

New PO 3112021 pdf.exe

description pid process target process

PID 3716 set thread context of 1328 3716 New PO 3112021 pdf.exe New PO 3112021 pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3968 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

New PO 3112021 pdf.exeNew PO 3112021 pdf.exe

pid process

3716 New PO 3112021 pdf.exe
1328 New PO 3112021 pdf.exe
1328 New PO 3112021 pdf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

New PO 3112021 pdf.exeNew PO 3112021 pdf.exe

description pid process

Token: SeDebugPrivilege 3716 New PO 3112021 pdf.exe
Token: SeDebugPrivilege 1328 New PO 3112021 pdf.exe

description	pid	process	target process
PID 3716 set thread context of 1328	3716	New PO 3112021 pdf.exe	New PO 3112021 pdf.exe

pid	process
3968	schtasks.exe

pid	process
3716	New PO 3112021 pdf.exe
1328	New PO 3112021 pdf.exe
1328	New PO 3112021 pdf.exe

description	pid	process
Token: SeDebugPrivilege	3716	New PO 3112021 pdf.exe
Token: SeDebugPrivilege	1328	New PO 3112021 pdf.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

New PO 3112021 pdf.exe

description	pid	process	target process
PID 3716 wrote to memory of 3968	3716	New PO 3112021 pdf.exe	schtasks.exe
PID 3716 wrote to memory of 3968	3716	New PO 3112021 pdf.exe	schtasks.exe
PID 3716 wrote to memory of 3968	3716	New PO 3112021 pdf.exe	schtasks.exe
PID 3716 wrote to memory of 1328	3716	New PO 3112021 pdf.exe	New PO 3112021 pdf.exe
PID 3716 wrote to memory of 1328	3716	New PO 3112021 pdf.exe	New PO 3112021 pdf.exe
PID 3716 wrote to memory of 1328	3716	New PO 3112021 pdf.exe	New PO 3112021 pdf.exe
PID 3716 wrote to memory of 1328	3716	New PO 3112021 pdf.exe	New PO 3112021 pdf.exe
PID 3716 wrote to memory of 1328	3716	New PO 3112021 pdf.exe	New PO 3112021 pdf.exe
PID 3716 wrote to memory of 1328	3716	New PO 3112021 pdf.exe	New PO 3112021 pdf.exe
PID 3716 wrote to memory of 1328	3716	New PO 3112021 pdf.exe	New PO 3112021 pdf.exe
PID 3716 wrote to memory of 1328	3716	New PO 3112021 pdf.exe	New PO 3112021 pdf.exe

C:\Users\Admin\AppData\Local\Temp\New PO 3112021 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\New PO 3112021 pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gUuwnHJxGO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp39CE.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3968
- C:\Users\Admin\AppData\Local\Temp\New PO 3112021 pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\New PO 3112021 pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New PO 3112021 pdf.exe.log

MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp39CE.tmp

MD5
84d3bbda2d5d6a95b38b855569d280e3

SHA1
1a12aa720f2ce5252d577dc76ccac7dac9483cea

SHA256
8414ecfaa1fba5457b59c77047b8382e87ed09ee1bad2105031e9cf28fbbd1d9

SHA512
7fbd1e423e4db13bd01bb353c0d078ab8cb8311835221ba66b6990dfc587932ea6787c74d208fcc659199a2fb0fbe61b94e4c3b43ea4f26ea051763d6505246d

Download Submit
memory/1328-136-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/1328-135-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/1328-134-0x0000000005810000-0x0000000005D0E000-memory.dmp

Filesize
5.0MB

Download
memory/1328-128-0x000000000043766E-mapping.dmp

Download
memory/1328-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3716-119-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3716-123-0x0000000000F20000-0x0000000000FA2000-memory.dmp

Filesize
520KB

Download
memory/3716-124-0x0000000006E00000-0x0000000006E3D000-memory.dmp

Filesize
244KB

Download
memory/3716-122-0x0000000005460000-0x000000000547B000-memory.dmp

Filesize
108KB

Download
memory/3716-121-0x0000000005080000-0x000000000557E000-memory.dmp

Filesize
5.0MB

Download
memory/3716-120-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/3716-114-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3716-118-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3716-117-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/3716-116-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/3968-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads