agenttesla | 3bcc082fdf8172ec9014d27d75cd67698ac1f27228a698849fad2a56fe94ca0f

General

Target

e33ac82c14447959cb7aed86bd915960.exe
Size

684KB
MD5

e33ac82c14447959cb7aed86bd915960
SHA1

9ea25902ed4f55813ae2708ce237bbf3b89f924a
SHA256

3bcc082fdf8172ec9014d27d75cd67698ac1f27228a698849fad2a56fe94ca0f
SHA512

734cdfefd8e00be8e26f20d8e7fa0a522ddc25cd0fff2528ef283d54a749c5d7ccd415273117bc942cb0927ef2a4cebb42177a0c5f3000287c54f6d290a89091

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
ddelande@quadrel-com.icu
Password:
snookiep@123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3972-127-0x000000000043749E-mapping.dmp	family_agenttesla
behavioral2/memory/3972-126-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3972-132-0x0000000004F90000-0x000000000548E000-memory.dmp	family_agenttesla

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/4448-121-0x0000000005090000-0x000000000509B000-memory.dmp	CustAttr

Suspicious use of SetThreadContext 1 IoCs

Processes:

e33ac82c14447959cb7aed86bd915960.exe

description pid process target process

PID 4448 set thread context of 3972 4448 e33ac82c14447959cb7aed86bd915960.exe e33ac82c14447959cb7aed86bd915960.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4008 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

e33ac82c14447959cb7aed86bd915960.exee33ac82c14447959cb7aed86bd915960.exe

pid process

4448 e33ac82c14447959cb7aed86bd915960.exe
3972 e33ac82c14447959cb7aed86bd915960.exe
3972 e33ac82c14447959cb7aed86bd915960.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e33ac82c14447959cb7aed86bd915960.exee33ac82c14447959cb7aed86bd915960.exe

description pid process

Token: SeDebugPrivilege 4448 e33ac82c14447959cb7aed86bd915960.exe
Token: SeDebugPrivilege 3972 e33ac82c14447959cb7aed86bd915960.exe

description	pid	process	target process
PID 4448 set thread context of 3972	4448	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe

pid	process
4008	schtasks.exe

pid	process
4448	e33ac82c14447959cb7aed86bd915960.exe
3972	e33ac82c14447959cb7aed86bd915960.exe
3972	e33ac82c14447959cb7aed86bd915960.exe

description	pid	process
Token: SeDebugPrivilege	4448	e33ac82c14447959cb7aed86bd915960.exe
Token: SeDebugPrivilege	3972	e33ac82c14447959cb7aed86bd915960.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

e33ac82c14447959cb7aed86bd915960.exe

description	pid	process	target process
PID 4448 wrote to memory of 4008	4448	e33ac82c14447959cb7aed86bd915960.exe	schtasks.exe
PID 4448 wrote to memory of 4008	4448	e33ac82c14447959cb7aed86bd915960.exe	schtasks.exe
PID 4448 wrote to memory of 4008	4448	e33ac82c14447959cb7aed86bd915960.exe	schtasks.exe
PID 4448 wrote to memory of 3972	4448	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 4448 wrote to memory of 3972	4448	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 4448 wrote to memory of 3972	4448	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 4448 wrote to memory of 3972	4448	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 4448 wrote to memory of 3972	4448	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 4448 wrote to memory of 3972	4448	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 4448 wrote to memory of 3972	4448	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe
PID 4448 wrote to memory of 3972	4448	e33ac82c14447959cb7aed86bd915960.exe	e33ac82c14447959cb7aed86bd915960.exe

C:\Users\Admin\AppData\Local\Temp\e33ac82c14447959cb7aed86bd915960.exe
"C:\Users\Admin\AppData\Local\Temp\e33ac82c14447959cb7aed86bd915960.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pcEyxzuZDY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA0C5.tmp"
2⤵
- Creates scheduled task(s)
PID:4008

C:\Users\Admin\AppData\Local\Temp\e33ac82c14447959cb7aed86bd915960.exe
"C:\Users\Admin\AppData\Local\Temp\e33ac82c14447959cb7aed86bd915960.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA0C5.tmp
MD5
74195508bc7a47c97354fc0a136fd80a

SHA1
50aa667dfe17d6a22f739e2b4ac54afa7a96ebb7

SHA256
5cb166e7cf108c28cd33aedf118a752897b13f1ae87bf73671ce887f75df7add

SHA512
f672b751f056fa21a2eb9ece8e31c1b11694b4770dcdaea1d4aeb15b083f6b49212aaaa833549197949ed6f7e83dc60b90978b24136784c6613a4d0887334fbf

Download Submit
memory/3972-134-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/3972-133-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/3972-132-0x0000000004F90000-0x000000000548E000-memory.dmp

Filesize
5.0MB

Download
memory/3972-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3972-127-0x000000000043749E-mapping.dmp

Download
memory/4008-124-0x0000000000000000-mapping.dmp

Download
memory/4448-119-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/4448-123-0x00000000072A0000-0x00000000072DD000-memory.dmp

Filesize
244KB

Download
memory/4448-122-0x0000000007200000-0x0000000007281000-memory.dmp

Filesize
516KB

Download
memory/4448-121-0x0000000005090000-0x000000000509B000-memory.dmp

Filesize
44KB

Download
memory/4448-120-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/4448-114-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/4448-118-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/4448-117-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/4448-116-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads