agenttesla | e7cbb9f2862c31495bedaea4648d8e76e5594c03b648ab5185129a69f6b2bc5d

General

Target

URGENT REQUEST FOR QUOTATION.exe
Size

800KB
MD5

9343f031d3ab03e202698b5e5f7a71c7
SHA1

8648f8babd986618c21185705f365df9705b6c49
SHA256

e7cbb9f2862c31495bedaea4648d8e76e5594c03b648ab5185129a69f6b2bc5d
SHA512

4c920ff64db2c67537855cb10ba7a33eb8d1cd4b35aa0205965cd936b9958dd04838347e1230422f78a2aa4b0dcc57fefbf2579dd3b3fc9de028d96af54d59b5

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.vivaldi.net
Port:
587
Username:
brucechuks212@vivaldi.net
Password:
23456789@@@@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2748-140-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2748-141-0x000000000043747E-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

URGENT REQUEST FOR QUOTATION.exe

description pid process target process

PID 3908 set thread context of 2748 3908 URGENT REQUEST FOR QUOTATION.exe URGENT REQUEST FOR QUOTATION.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2332 schtasks.exe

description	pid	process	target process
PID 3908 set thread context of 2748	3908	URGENT REQUEST FOR QUOTATION.exe	URGENT REQUEST FOR QUOTATION.exe

pid	process
2332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exeURGENT REQUEST FOR QUOTATION.exeURGENT REQUEST FOR QUOTATION.exepowershell.exe

pid	process
4040	powershell.exe
3688	powershell.exe
3908	URGENT REQUEST FOR QUOTATION.exe
2748	URGENT REQUEST FOR QUOTATION.exe
2748	URGENT REQUEST FOR QUOTATION.exe
3968	powershell.exe
4040	powershell.exe
3688	powershell.exe
3968	powershell.exe
3688	powershell.exe
4040	powershell.exe
3968	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exeURGENT REQUEST FOR QUOTATION.exeURGENT REQUEST FOR QUOTATION.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	3908	URGENT REQUEST FOR QUOTATION.exe
Token: SeDebugPrivilege	2748	URGENT REQUEST FOR QUOTATION.exe
Token: SeDebugPrivilege	3968	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

URGENT REQUEST FOR QUOTATION.exe

description	pid	process	target process
PID 3908 wrote to memory of 4040	3908	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 3908 wrote to memory of 4040	3908	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 3908 wrote to memory of 4040	3908	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 3908 wrote to memory of 3688	3908	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 3908 wrote to memory of 3688	3908	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 3908 wrote to memory of 3688	3908	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 3908 wrote to memory of 2332	3908	URGENT REQUEST FOR QUOTATION.exe	schtasks.exe
PID 3908 wrote to memory of 2332	3908	URGENT REQUEST FOR QUOTATION.exe	schtasks.exe
PID 3908 wrote to memory of 2332	3908	URGENT REQUEST FOR QUOTATION.exe	schtasks.exe
PID 3908 wrote to memory of 3968	3908	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 3908 wrote to memory of 3968	3908	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 3908 wrote to memory of 3968	3908	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 3908 wrote to memory of 2748	3908	URGENT REQUEST FOR QUOTATION.exe	URGENT REQUEST FOR QUOTATION.exe
PID 3908 wrote to memory of 2748	3908	URGENT REQUEST FOR QUOTATION.exe	URGENT REQUEST FOR QUOTATION.exe
PID 3908 wrote to memory of 2748	3908	URGENT REQUEST FOR QUOTATION.exe	URGENT REQUEST FOR QUOTATION.exe
PID 3908 wrote to memory of 2748	3908	URGENT REQUEST FOR QUOTATION.exe	URGENT REQUEST FOR QUOTATION.exe
PID 3908 wrote to memory of 2748	3908	URGENT REQUEST FOR QUOTATION.exe	URGENT REQUEST FOR QUOTATION.exe
PID 3908 wrote to memory of 2748	3908	URGENT REQUEST FOR QUOTATION.exe	URGENT REQUEST FOR QUOTATION.exe
PID 3908 wrote to memory of 2748	3908	URGENT REQUEST FOR QUOTATION.exe	URGENT REQUEST FOR QUOTATION.exe
PID 3908 wrote to memory of 2748	3908	URGENT REQUEST FOR QUOTATION.exe	URGENT REQUEST FOR QUOTATION.exe

C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST FOR QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST FOR QUOTATION.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST FOR QUOTATION.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wpLWNDBJ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wpLWNDBJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD65.tmp"
2⤵
- Creates scheduled task(s)
PID:2332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wpLWNDBJ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST FOR QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST FOR QUOTATION.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
921485d2f2397aaacad0b77ee281d451

SHA1
83c83e5b275a2a208b0e3e8a031d1895fffe25ee

SHA256
569b9617d082eb87351d271269dd42d9cd9f93605a7e9d7aa83aacaaca8966f5

SHA512
0efb97654ee4870f5c319bb09502b47630307201b07e32817e88444218c2c582ac952b7828e4179b8768757883fb99bf9938af3944919a9c3d0ac7c83274dc75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
324e130d15b57df0a9027ee993247029

SHA1
635a3a93d8895b5a56e65613dd422312f07bbe32

SHA256
e8552b7864a38bdb43bf7789c4f4cfdf2fea8d6e406a1edd6994dc087f545b71

SHA512
5aa60656e33d1067d47957ba198c51494eb3c39f402cd69085db2d6c0969da00a9bb96c5662a13a8e0fac52596d122346914774593353ded8156aeaa3256b004

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDD65.tmp
MD5
d27de97ae2fc24ed972ae524023a75ec

SHA1
74e478ec36dd3e7cc767a81148fa22a8c8510d72

SHA256
3c0634e4ad077c2cc764131d69cf2b845746b0396768133dbe391a6c8a236551

SHA512
fdd16904bd4be9bc2797a2a9b6ed3fd60eee6cbd2b5f46bb46a6d5f672ea36296fc0b99f1e877e7f6d87232477127bb0264d2e46498de3369ee15367a9979c89

Download Submit
memory/2332-127-0x0000000000000000-mapping.dmp

Download
memory/2748-889-0x00000000050E0000-0x00000000055DE000-memory.dmp

Filesize
5.0MB

Download
memory/2748-162-0x00000000050E0000-0x00000000055DE000-memory.dmp

Filesize
5.0MB

Download
memory/2748-141-0x000000000043747E-mapping.dmp

Download
memory/2748-140-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3688-254-0x0000000006DA3000-0x0000000006DA4000-memory.dmp

Filesize
4KB

Download
memory/3688-172-0x0000000008430000-0x0000000008431000-memory.dmp

Filesize
4KB

Download
memory/3688-126-0x0000000000000000-mapping.dmp

Download
memory/3688-161-0x0000000006DA2000-0x0000000006DA3000-memory.dmp

Filesize
4KB

Download
memory/3688-208-0x000000007FB20000-0x000000007FB21000-memory.dmp

Filesize
4KB

Download
memory/3688-155-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/3908-117-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/3908-122-0x0000000005240000-0x000000000525B000-memory.dmp

Filesize
108KB

Download
memory/3908-119-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/3908-118-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3908-116-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/3908-124-0x0000000008690000-0x00000000086CD000-memory.dmp

Filesize
244KB

Download
memory/3908-120-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/3908-114-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3908-123-0x0000000008600000-0x0000000008682000-memory.dmp

Filesize
520KB

Download
memory/3908-121-0x0000000004FA0000-0x000000000549E000-memory.dmp

Filesize
5.0MB

Download
memory/3968-259-0x0000000006753000-0x0000000006754000-memory.dmp

Filesize
4KB

Download
memory/3968-157-0x0000000006750000-0x0000000006751000-memory.dmp

Filesize
4KB

Download
memory/3968-160-0x0000000006752000-0x0000000006753000-memory.dmp

Filesize
4KB

Download
memory/3968-247-0x000000007E550000-0x000000007E551000-memory.dmp

Filesize
4KB

Download
memory/3968-137-0x0000000000000000-mapping.dmp

Download
memory/4040-148-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/4040-169-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/4040-167-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

Filesize
4KB

Download
memory/4040-192-0x0000000009280000-0x00000000092B3000-memory.dmp

Filesize
204KB

Download
memory/4040-205-0x000000007E8C0000-0x000000007E8C1000-memory.dmp

Filesize
4KB

Download
memory/4040-158-0x0000000004972000-0x0000000004973000-memory.dmp

Filesize
4KB

Download
memory/4040-213-0x0000000009260000-0x0000000009261000-memory.dmp

Filesize
4KB

Download
memory/4040-153-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/4040-250-0x0000000004973000-0x0000000004974000-memory.dmp

Filesize
4KB

Download
memory/4040-145-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download
memory/4040-142-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/4040-138-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/4040-134-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/4040-131-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/4040-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads