agenttesla | 1ba742a8035002362e46828bcb7a24342bed430d6bcd59999afd520dba3de81e

General

Target

QUOTATION 22072021.exe
Size

742KB
MD5

506887f557d9399e9cd663b65b2271d5
SHA1

4ff9f4cc2408073bf91b87a92ba6f6d74efcead0
SHA256

1ba742a8035002362e46828bcb7a24342bed430d6bcd59999afd520dba3de81e
SHA512

bb87d67afb0b9263f2802a5ca3d8b36c6e5a0005d7f5fec632e189db4f4337408d9b8994ed9ac2482efe379ef07ee0cf0ffbbadf4f17aba3ff951a09f8d67204

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.totalkitchensandbathrooms.com.au
Port:
587
Username:
[email protected]
Password:
Zs^I;kEMItH)

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/584-69-0x000000000043787E-mapping.dmp	family_agenttesla
behavioral1/memory/584-68-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/584-70-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

QUOTATION 22072021.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe"	QUOTATION 22072021.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

QUOTATION 22072021.exe

description pid process target process

PID 2020 set thread context of 584 2020 QUOTATION 22072021.exe QUOTATION 22072021.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1912 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

QUOTATION 22072021.exe

pid process

584 QUOTATION 22072021.exe
584 QUOTATION 22072021.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

QUOTATION 22072021.exe

description pid process

Token: SeDebugPrivilege 584 QUOTATION 22072021.exe

description	pid	process	target process
PID 2020 set thread context of 584	2020	QUOTATION 22072021.exe	QUOTATION 22072021.exe

pid	process
1912	schtasks.exe

pid	process
584	QUOTATION 22072021.exe
584	QUOTATION 22072021.exe

description	pid	process
Token: SeDebugPrivilege	584	QUOTATION 22072021.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

QUOTATION 22072021.exe

description	pid	process	target process
PID 2020 wrote to memory of 1912	2020	QUOTATION 22072021.exe	schtasks.exe
PID 2020 wrote to memory of 1912	2020	QUOTATION 22072021.exe	schtasks.exe
PID 2020 wrote to memory of 1912	2020	QUOTATION 22072021.exe	schtasks.exe
PID 2020 wrote to memory of 1912	2020	QUOTATION 22072021.exe	schtasks.exe
PID 2020 wrote to memory of 584	2020	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2020 wrote to memory of 584	2020	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2020 wrote to memory of 584	2020	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2020 wrote to memory of 584	2020	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2020 wrote to memory of 584	2020	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2020 wrote to memory of 584	2020	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2020 wrote to memory of 584	2020	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2020 wrote to memory of 584	2020	QUOTATION 22072021.exe	QUOTATION 22072021.exe
PID 2020 wrote to memory of 584	2020	QUOTATION 22072021.exe	QUOTATION 22072021.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION 22072021.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION 22072021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vkQnefEsxy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3208.tmp"
2⤵
- Creates scheduled task(s)
PID:1912

C:\Users\Admin\AppData\Local\Temp\QUOTATION 22072021.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION 22072021.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3208.tmp
MD5
03591970430ce68612fcdaf09ad9702a

SHA1
4d85c39d72d4fc33b78f3226249fc82cb0cb7aec

SHA256
c027fd2a2484ece08f09c56af8c3679cde6194fcaff9ba767cd6abb6a3374c70

SHA512
3236746ed47f0cccf8594e0a744d7809ac2b911c40c52ac1453773827ab1449a7ad200bef33e4d9f4ed158345606112a0c2fdfb3db256e051010a01822ce8466

Download Submit
memory/584-69-0x000000000043787E-mapping.dmp

Download
memory/584-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/584-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/584-72-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/1912-66-0x0000000000000000-mapping.dmp

Download
memory/2020-60-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2020-62-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/2020-63-0x00000000003A0000-0x00000000003BB000-memory.dmp

Filesize
108KB

Download
memory/2020-64-0x0000000007F30000-0x0000000007FB1000-memory.dmp

Filesize
516KB

Download
memory/2020-65-0x0000000000B30000-0x0000000000B6D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads