agenttesla | eddc270558f27cf00441f9056ca98264e14708d8202647bb461c371e6db85cdb

General

Target

MRKU8781602.exe
Size

612KB
MD5

bbed19abf6b369658b6996317e2e2067
SHA1

b252760938e016ea408efb75cab44defa95a6b17
SHA256

eddc270558f27cf00441f9056ca98264e14708d8202647bb461c371e6db85cdb
SHA512

94021a9caceef74dc3d3bc62e39ca056c71ea8e01683f81cde451187007d3adc6ece3640490be0797c1e2f8e2d54a7ece3a7f528fea08de6b0fa86efd4534579

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1633482536:AAF1JIS_DaayovuRrLGy_POYaI3DRc2CrPY/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2568-126-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2568-127-0x000000000043779E-mapping.dmp	family_agenttesla
behavioral2/memory/2568-133-0x0000000005140000-0x000000000563E000-memory.dmp	family_agenttesla
behavioral2/memory/2568-138-0x0000000005140000-0x000000000563E000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

MRKU8781602.exe

description pid process target process

PID 3956 set thread context of 2568 3956 MRKU8781602.exe MRKU8781602.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1236 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MRKU8781602.exeMRKU8781602.exe

pid process

3956 MRKU8781602.exe
3956 MRKU8781602.exe
2568 MRKU8781602.exe
2568 MRKU8781602.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MRKU8781602.exeMRKU8781602.exe

description pid process

Token: SeDebugPrivilege 3956 MRKU8781602.exe
Token: SeDebugPrivilege 2568 MRKU8781602.exe

description	pid	process	target process
PID 3956 set thread context of 2568	3956	MRKU8781602.exe	MRKU8781602.exe

pid	process
1236	schtasks.exe

pid	process
3956	MRKU8781602.exe
3956	MRKU8781602.exe
2568	MRKU8781602.exe
2568	MRKU8781602.exe

description	pid	process
Token: SeDebugPrivilege	3956	MRKU8781602.exe
Token: SeDebugPrivilege	2568	MRKU8781602.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

MRKU8781602.exe

description	pid	process	target process
PID 3956 wrote to memory of 1236	3956	MRKU8781602.exe	schtasks.exe
PID 3956 wrote to memory of 1236	3956	MRKU8781602.exe	schtasks.exe
PID 3956 wrote to memory of 1236	3956	MRKU8781602.exe	schtasks.exe
PID 3956 wrote to memory of 2356	3956	MRKU8781602.exe	MRKU8781602.exe
PID 3956 wrote to memory of 2356	3956	MRKU8781602.exe	MRKU8781602.exe
PID 3956 wrote to memory of 2356	3956	MRKU8781602.exe	MRKU8781602.exe
PID 3956 wrote to memory of 2568	3956	MRKU8781602.exe	MRKU8781602.exe
PID 3956 wrote to memory of 2568	3956	MRKU8781602.exe	MRKU8781602.exe
PID 3956 wrote to memory of 2568	3956	MRKU8781602.exe	MRKU8781602.exe
PID 3956 wrote to memory of 2568	3956	MRKU8781602.exe	MRKU8781602.exe
PID 3956 wrote to memory of 2568	3956	MRKU8781602.exe	MRKU8781602.exe
PID 3956 wrote to memory of 2568	3956	MRKU8781602.exe	MRKU8781602.exe
PID 3956 wrote to memory of 2568	3956	MRKU8781602.exe	MRKU8781602.exe
PID 3956 wrote to memory of 2568	3956	MRKU8781602.exe	MRKU8781602.exe

C:\Users\Admin\AppData\Local\Temp\MRKU8781602.exe
"C:\Users\Admin\AppData\Local\Temp\MRKU8781602.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gfrZGvetdgc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB183.tmp"
2⤵
- Creates scheduled task(s)
PID:1236

C:\Users\Admin\AppData\Local\Temp\MRKU8781602.exe
"{path}"
2⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\MRKU8781602.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MRKU8781602.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB183.tmp
MD5
b894872524a9d595ed94e5e1030a6da9

SHA1
f3ad129f563e1d4fd44965867d75c7b35bb0a51a

SHA256
5078dea09a5b8eda9927d16c0ed504a35ea924a402353c6509beaef57f320944

SHA512
4059f1cbec8877b57cd0c377768e9babae908aafb6c1a59e038781073c4461d0bc06439e777d1ba975e7a3ec282810c425756944f2bf00acf4903b20998112d1

Download Submit
memory/1236-124-0x0000000000000000-mapping.dmp

Download
memory/2568-138-0x0000000005140000-0x000000000563E000-memory.dmp

Filesize
5.0MB

Download
memory/2568-135-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/2568-134-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/2568-133-0x0000000005140000-0x000000000563E000-memory.dmp

Filesize
5.0MB

Download
memory/2568-127-0x000000000043779E-mapping.dmp

Download
memory/2568-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3956-119-0x0000000005880000-0x0000000005D7E000-memory.dmp

Filesize
5.0MB

Download
memory/3956-123-0x0000000007940000-0x000000000797D000-memory.dmp

Filesize
244KB

Download
memory/3956-122-0x0000000007A80000-0x0000000007AFC000-memory.dmp

Filesize
496KB

Download
memory/3956-121-0x0000000008EC0000-0x0000000008EC1000-memory.dmp

Filesize
4KB

Download
memory/3956-120-0x0000000005AC0000-0x0000000005AC2000-memory.dmp

Filesize
8KB

Download
memory/3956-114-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/3956-118-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/3956-117-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/3956-116-0x0000000005D80000-0x0000000005D81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads