agenttesla | 1ba742a8035002362e46828bcb7a24342bed430d6bcd59999afd520dba3de81e

General

Target

QUOTATION 22072021.exe
Size

742KB
MD5

506887f557d9399e9cd663b65b2271d5
SHA1

4ff9f4cc2408073bf91b87a92ba6f6d74efcead0
SHA256

1ba742a8035002362e46828bcb7a24342bed430d6bcd59999afd520dba3de81e
SHA512

bb87d67afb0b9263f2802a5ca3d8b36c6e5a0005d7f5fec632e189db4f4337408d9b8994ed9ac2482efe379ef07ee0cf0ffbbadf4f17aba3ff951a09f8d67204

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.totalkitchensandbathrooms.com.au
Port:
587
Username:
[email protected]
Password:
Zs^I;kEMItH)

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1844-68-0x000000000043787E-mapping.dmp	family_agenttesla
behavioral1/memory/1844-67-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1844-69-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

QUOTATION 22072021.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe"	QUOTATION 22072021.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

QUOTATION 22072021.exe

description pid process target process

PID 2004 set thread context of 1844 2004 QUOTATION 22072021.exe QUOTATION 22072021.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1752 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

QUOTATION 22072021.exeQUOTATION 22072021.exe

pid process

2004 QUOTATION 22072021.exe
1844 QUOTATION 22072021.exe
1844 QUOTATION 22072021.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

QUOTATION 22072021.exeQUOTATION 22072021.exe

description pid process

Token: SeDebugPrivilege 2004 QUOTATION 22072021.exe
Token: SeDebugPrivilege 1844 QUOTATION 22072021.exe

description	pid	process	target process
PID 2004 set thread context of 1844	2004	QUOTATION 22072021.exe	QUOTATION 22072021.exe

pid	process
1752	schtasks.exe

pid	process
2004	QUOTATION 22072021.exe
1844	QUOTATION 22072021.exe
1844	QUOTATION 22072021.exe

description	pid	process
Token: SeDebugPrivilege	2004	QUOTATION 22072021.exe
Token: SeDebugPrivilege	1844	QUOTATION 22072021.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

QUOTATION 22072021.exe

description	pid	process	target process
PID 2004 wrote to memory of 1752	2004	QUOTATION 22072021.exe	schtasks.exe
PID 2004 wrote to memory of 1752	2004	QUOTATION 22072021.exe	schtasks.exe
PID 2004 wrote to memory of 1752	2004	QUOTATION 22072021.exe	schtasks.exe
PID 2004 wrote to memory of 1752	2004	QUOTATION 22072021.exe	schtasks.exe
PID 2004 wrote to memory of 1812	2004	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2004 wrote to memory of 1812	2004	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2004 wrote to memory of 1812	2004	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2004 wrote to memory of 1812	2004	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2004 wrote to memory of 1844	2004	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2004 wrote to memory of 1844	2004	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2004 wrote to memory of 1844	2004	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2004 wrote to memory of 1844	2004	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2004 wrote to memory of 1844	2004	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2004 wrote to memory of 1844	2004	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2004 wrote to memory of 1844	2004	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2004 wrote to memory of 1844	2004	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2004 wrote to memory of 1844	2004	QUOTATION 22072021.exe	QUOTATION 22072021.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION 22072021.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION 22072021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vkQnefEsxy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp35FE.tmp"
2⤵
- Creates scheduled task(s)
PID:1752

C:\Users\Admin\AppData\Local\Temp\QUOTATION 22072021.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION 22072021.exe"
2⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\QUOTATION 22072021.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION 22072021.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp35FE.tmp
MD5
c055c840b1c01c1b1d8aa36ae7b0e3bf

SHA1
5037e48b7d32c22bcd5bed634e48cd645a665ef4

SHA256
69955caafb36dfccad623744f9b5f7f752ae5fef91c053ff83fc8c426577db39

SHA512
7b50680ea48e07497fa91c022576c7f2ad1c8be64db497be8c46e6386b32e73e43270e511669ea93907b36b96dccfa28221788f6af7db46dac4051f49d3278a7

Download Submit
memory/1752-65-0x0000000000000000-mapping.dmp

Download
memory/1844-68-0x000000000043787E-mapping.dmp

Download
memory/1844-67-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1844-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1844-71-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/2004-59-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2004-61-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/2004-62-0x00000000003F0000-0x000000000040B000-memory.dmp

Filesize
108KB

Download
memory/2004-63-0x0000000005D70000-0x0000000005DF1000-memory.dmp

Filesize
516KB

Download
memory/2004-64-0x0000000000820000-0x000000000085D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads