agenttesla | 3bcc082fdf8172ec9014d27d75cd67698ac1f27228a698849fad2a56fe94ca0f

General

Target

e33ac82c14447959cb7aed86bd915960.exe
Size

684KB
MD5

e33ac82c14447959cb7aed86bd915960
SHA1

9ea25902ed4f55813ae2708ce237bbf3b89f924a
SHA256

3bcc082fdf8172ec9014d27d75cd67698ac1f27228a698849fad2a56fe94ca0f
SHA512

734cdfefd8e00be8e26f20d8e7fa0a522ddc25cd0fff2528ef283d54a749c5d7ccd415273117bc942cb0927ef2a4cebb42177a0c5f3000287c54f6d290a89091

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
ddelande@quadrel-com.icu
Password:
snookiep@123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1956-67-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1956-68-0x000000000043749E-mapping.dmp	family_agenttesla
behavioral1/memory/1956-69-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/1972-62-0x0000000000840000-0x000000000084B000-memory.dmp	CustAttr

Suspicious use of SetThreadContext 1 IoCs

Processes:

e33ac82c14447959cb7aed86bd915960.exe

description pid process target process

PID 1972 set thread context of 1956 1972 e33ac82c14447959cb7aed86bd915960.exe e33ac82c14447959cb7aed86bd915960.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

560 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

e33ac82c14447959cb7aed86bd915960.exee33ac82c14447959cb7aed86bd915960.exe

pid process

1972 e33ac82c14447959cb7aed86bd915960.exe
1956 e33ac82c14447959cb7aed86bd915960.exe
1956 e33ac82c14447959cb7aed86bd915960.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e33ac82c14447959cb7aed86bd915960.exee33ac82c14447959cb7aed86bd915960.exe

description pid process

Token: SeDebugPrivilege 1972 e33ac82c14447959cb7aed86bd915960.exe
Token: SeDebugPrivilege 1956 e33ac82c14447959cb7aed86bd915960.exe

description	pid	process	target process
PID 1972 set thread context of 1956	1972	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe

pid	process
560	schtasks.exe

pid	process
1972	e33ac82c14447959cb7aed86bd915960.exe
1956	e33ac82c14447959cb7aed86bd915960.exe
1956	e33ac82c14447959cb7aed86bd915960.exe

description	pid	process
Token: SeDebugPrivilege	1972	e33ac82c14447959cb7aed86bd915960.exe
Token: SeDebugPrivilege	1956	e33ac82c14447959cb7aed86bd915960.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

e33ac82c14447959cb7aed86bd915960.exe

description	pid	process	target process
PID 1972 wrote to memory of 560	1972	e33ac82c14447959cb7aed86bd915960.exe	schtasks.exe
PID 1972 wrote to memory of 560	1972	e33ac82c14447959cb7aed86bd915960.exe	schtasks.exe
PID 1972 wrote to memory of 560	1972	e33ac82c14447959cb7aed86bd915960.exe	schtasks.exe
PID 1972 wrote to memory of 560	1972	e33ac82c14447959cb7aed86bd915960.exe	schtasks.exe
PID 1972 wrote to memory of 1956	1972	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 1972 wrote to memory of 1956	1972	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 1972 wrote to memory of 1956	1972	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 1972 wrote to memory of 1956	1972	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 1972 wrote to memory of 1956	1972	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 1972 wrote to memory of 1956	1972	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 1972 wrote to memory of 1956	1972	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 1972 wrote to memory of 1956	1972	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 1972 wrote to memory of 1956	1972	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe

C:\Users\Admin\AppData\Local\Temp\e33ac82c14447959cb7aed86bd915960.exe
"C:\Users\Admin\AppData\Local\Temp\e33ac82c14447959cb7aed86bd915960.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pcEyxzuZDY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E77.tmp"
2⤵
- Creates scheduled task(s)
PID:560

C:\Users\Admin\AppData\Local\Temp\e33ac82c14447959cb7aed86bd915960.exe
"C:\Users\Admin\AppData\Local\Temp\e33ac82c14447959cb7aed86bd915960.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3E77.tmp
MD5
4e5f0f21e8d0d3214b6cf83b6f965932

SHA1
ac90f258e3f5b2071e8adef44480addc37519218

SHA256
193158019e690e03bb1b0a4003565e3350a24a3bc4e0c01b0c997f87bba74921

SHA512
cb852fe1408d439c5e9108347d64c158f63faa537960396ed494deaeb8aca9c34f80fd35904540a1974fa85a9203bcf8193469fb07c89be97a24bf99d3da63f0

Download Submit
memory/560-65-0x0000000000000000-mapping.dmp

Download
memory/1956-67-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-68-0x000000000043749E-mapping.dmp

Download
memory/1956-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-71-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/1972-59-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/1972-61-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1972-62-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/1972-63-0x0000000004D10000-0x0000000004D91000-memory.dmp

Filesize
516KB

Download
memory/1972-64-0x0000000000C00000-0x0000000000C3D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads