agenttesla | 7b1d2f2e48d2f1c83a5524ae8febc8594f67d1bfdd76955b9a98e91bd6494279

General

Target

RFQ.pif.exe
Size

793KB
MD5

8faf3df57f1bf78beea427593b0910c4
SHA1

34f825ae4105d49603ca58ce36eed47ccce94f62
SHA256

7b1d2f2e48d2f1c83a5524ae8febc8594f67d1bfdd76955b9a98e91bd6494279
SHA512

d6113bbdd60af4f667ad5e6cf47edc5fe4b445a6696458bc18a4ab4bea114689f32b3a474c230a9152e175f4bec2c8289f0d2c13c9d699211d4ef3051b7807d9

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
myrecords1248

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2872-203-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2872-204-0x00000000004375DE-mapping.dmp	family_agenttesla
behavioral2/memory/2872-210-0x00000000051B0000-0x00000000056AE000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ.pif.exe

description pid process target process

PID 740 set thread context of 2872 740 RFQ.pif.exe RFQ.pif.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

4012 PING.EXE
2264 PING.EXE
3424 PING.EXE
1000 PING.EXE

description	pid	process	target process
PID 740 set thread context of 2872	740	RFQ.pif.exe	RFQ.pif.exe

pid	process
4012	PING.EXE
2264	PING.EXE
3424	PING.EXE
1000	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeRFQ.pif.exeRFQ.pif.exe

pid	process
2272	powershell.exe
2272	powershell.exe
2272	powershell.exe
2192	powershell.exe
2192	powershell.exe
2192	powershell.exe
3404	powershell.exe
3404	powershell.exe
3404	powershell.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
740	RFQ.pif.exe
740	RFQ.pif.exe
740	RFQ.pif.exe
740	RFQ.pif.exe
740	RFQ.pif.exe
740	RFQ.pif.exe
2872	RFQ.pif.exe
2872	RFQ.pif.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeRFQ.pif.exeRFQ.pif.exe

description	pid	process
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	740	RFQ.pif.exe
Token: SeDebugPrivilege	2872	RFQ.pif.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

RFQ.pif.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 740 wrote to memory of 2272	740	RFQ.pif.exe	powershell.exe
PID 740 wrote to memory of 2272	740	RFQ.pif.exe	powershell.exe
PID 740 wrote to memory of 2272	740	RFQ.pif.exe	powershell.exe
PID 2272 wrote to memory of 1000	2272	powershell.exe	PING.EXE
PID 2272 wrote to memory of 1000	2272	powershell.exe	PING.EXE
PID 2272 wrote to memory of 1000	2272	powershell.exe	PING.EXE
PID 740 wrote to memory of 2192	740	RFQ.pif.exe	powershell.exe
PID 740 wrote to memory of 2192	740	RFQ.pif.exe	powershell.exe
PID 740 wrote to memory of 2192	740	RFQ.pif.exe	powershell.exe
PID 2192 wrote to memory of 4012	2192	powershell.exe	PING.EXE
PID 2192 wrote to memory of 4012	2192	powershell.exe	PING.EXE
PID 2192 wrote to memory of 4012	2192	powershell.exe	PING.EXE
PID 740 wrote to memory of 3404	740	RFQ.pif.exe	powershell.exe
PID 740 wrote to memory of 3404	740	RFQ.pif.exe	powershell.exe
PID 740 wrote to memory of 3404	740	RFQ.pif.exe	powershell.exe
PID 3404 wrote to memory of 2264	3404	powershell.exe	PING.EXE
PID 3404 wrote to memory of 2264	3404	powershell.exe	PING.EXE
PID 3404 wrote to memory of 2264	3404	powershell.exe	PING.EXE
PID 740 wrote to memory of 2904	740	RFQ.pif.exe	powershell.exe
PID 740 wrote to memory of 2904	740	RFQ.pif.exe	powershell.exe
PID 740 wrote to memory of 2904	740	RFQ.pif.exe	powershell.exe
PID 2904 wrote to memory of 3424	2904	powershell.exe	PING.EXE
PID 2904 wrote to memory of 3424	2904	powershell.exe	PING.EXE
PID 2904 wrote to memory of 3424	2904	powershell.exe	PING.EXE
PID 740 wrote to memory of 3772	740	RFQ.pif.exe	RFQ.pif.exe
PID 740 wrote to memory of 3772	740	RFQ.pif.exe	RFQ.pif.exe
PID 740 wrote to memory of 3772	740	RFQ.pif.exe	RFQ.pif.exe
PID 740 wrote to memory of 2872	740	RFQ.pif.exe	RFQ.pif.exe
PID 740 wrote to memory of 2872	740	RFQ.pif.exe	RFQ.pif.exe
PID 740 wrote to memory of 2872	740	RFQ.pif.exe	RFQ.pif.exe
PID 740 wrote to memory of 2872	740	RFQ.pif.exe	RFQ.pif.exe
PID 740 wrote to memory of 2872	740	RFQ.pif.exe	RFQ.pif.exe
PID 740 wrote to memory of 2872	740	RFQ.pif.exe	RFQ.pif.exe
PID 740 wrote to memory of 2872	740	RFQ.pif.exe	RFQ.pif.exe
PID 740 wrote to memory of 2872	740	RFQ.pif.exe	RFQ.pif.exe

C:\Users\Admin\AppData\Local\Temp\RFQ.pif.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.pif.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
3⤵
- Runs ping.exe
PID:1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
3⤵
- Runs ping.exe
PID:4012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
3⤵
- Runs ping.exe
PID:2264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
3⤵
- Runs ping.exe
PID:3424

C:\Users\Admin\AppData\Local\Temp\RFQ.pif.exe
C:\Users\Admin\AppData\Local\Temp\RFQ.pif.exe
2⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\RFQ.pif.exe
C:\Users\Admin\AppData\Local\Temp\RFQ.pif.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.pif.exe.log
MD5
9e7845217df4a635ec4341c3d52ed685

SHA1
d65cb39d37392975b038ce503a585adadb805da5

SHA256
d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

SHA512
307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d4c56dec4203e73949bc8da709350789

SHA1
d8ea857fc5242ab7f2d27e38a021941d1f062fa4

SHA256
a467fd9652758c4930987ef99be0567bdec81c09494499e91e7519d924e5e674

SHA512
cc5ad974db3d721dc6839812a86955bd2f968ab53db6a01b0515e31ed9d345a3e5c28773acdfa6aa139168272cdcdc63e7b0026810668e1dd7168c5016a6f05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d4c56dec4203e73949bc8da709350789

SHA1
d8ea857fc5242ab7f2d27e38a021941d1f062fa4

SHA256
a467fd9652758c4930987ef99be0567bdec81c09494499e91e7519d924e5e674

SHA512
cc5ad974db3d721dc6839812a86955bd2f968ab53db6a01b0515e31ed9d345a3e5c28773acdfa6aa139168272cdcdc63e7b0026810668e1dd7168c5016a6f05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2c681808806acf1e1273942a877ffa77

SHA1
b7d684fc241dcf3091830ed87927247c42bcac58

SHA256
ed5021ba5ad031fb63844b83beb0b7b52e9c7072e0ac91d15b8c8b372c6648de

SHA512
8256778799b1eeec86c79f06ca5e6337a6fb5dbdf511b1f5c0eab5ed94d85e0e0de0e2a7ffc052411f6706bae3363bb0b70b231aacc867b2bb037d94715eba17

Download Submit
memory/740-120-0x0000000005160000-0x00000000051F2000-memory.dmp

Filesize
584KB

Download
memory/740-116-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/740-199-0x0000000009250000-0x00000000092B2000-memory.dmp

Filesize
392KB

Download
memory/740-194-0x0000000006D20000-0x0000000006D70000-memory.dmp

Filesize
320KB

Download
memory/740-119-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/740-114-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/740-117-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/740-118-0x0000000005160000-0x00000000051F2000-memory.dmp

Filesize
584KB

Download
memory/1000-135-0x0000000000000000-mapping.dmp

Download
memory/2192-168-0x0000000004E34000-0x0000000004E36000-memory.dmp

Filesize
8KB

Download
memory/2192-167-0x0000000004E33000-0x0000000004E34000-memory.dmp

Filesize
4KB

Download
memory/2192-143-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2192-145-0x0000000004E32000-0x0000000004E33000-memory.dmp

Filesize
4KB

Download
memory/2192-136-0x0000000000000000-mapping.dmp

Download
memory/2264-174-0x0000000000000000-mapping.dmp

Download
memory/2272-152-0x00000000041A4000-0x00000000041A6000-memory.dmp

Filesize
8KB

Download
memory/2272-126-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/2272-151-0x00000000041A3000-0x00000000041A4000-memory.dmp

Filesize
4KB

Download
memory/2272-133-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/2272-121-0x0000000000000000-mapping.dmp

Download
memory/2272-132-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/2272-131-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/2272-124-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/2272-130-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/2272-129-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/2272-125-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/2272-134-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/2272-128-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

Filesize
4KB

Download
memory/2272-127-0x00000000041A2000-0x00000000041A3000-memory.dmp

Filesize
4KB

Download
memory/2872-211-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2872-210-0x00000000051B0000-0x00000000056AE000-memory.dmp

Filesize
5.0MB

Download
memory/2872-209-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/2872-204-0x00000000004375DE-mapping.dmp

Download
memory/2872-203-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2904-201-0x0000000004513000-0x0000000004514000-memory.dmp

Filesize
4KB

Download
memory/2904-189-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/2904-176-0x0000000000000000-mapping.dmp

Download
memory/2904-191-0x0000000004512000-0x0000000004513000-memory.dmp

Filesize
4KB

Download
memory/2904-202-0x0000000004514000-0x0000000004516000-memory.dmp

Filesize
8KB

Download
memory/3404-188-0x0000000006FC4000-0x0000000006FC6000-memory.dmp

Filesize
8KB

Download
memory/3404-157-0x0000000000000000-mapping.dmp

Download
memory/3404-169-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

Filesize
4KB

Download
memory/3404-187-0x0000000006FC3000-0x0000000006FC4000-memory.dmp

Filesize
4KB

Download
memory/3404-170-0x0000000006FC2000-0x0000000006FC3000-memory.dmp

Filesize
4KB

Download
memory/3424-193-0x0000000000000000-mapping.dmp

Download
memory/4012-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads