agenttesla | a0ee1d459912946e86b1695a16e4e5c288274959bdfb4d9e57cc83e473a3c10b

General

Target

REQUEST FOR QUOTE FORM.exe
Size

685KB
MD5

136d3ff60c17a7e1d4e1b3c755e15d89
SHA1

88b8b2b70252e64bf5599bf0c2fcbca363c06c0a
SHA256

a0ee1d459912946e86b1695a16e4e5c288274959bdfb4d9e57cc83e473a3c10b
SHA512

86ab7db4097b895ab890b9b471ec22aca1eee701d9dd711873e9790a3453bcc6d5c9a1cdbd7415620c1df732e07760bf0abf96874c450d5ba6f7f6508b7551be

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
chamara.kuruppu@organigram-ca.icu
Password:
Neways@123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2452-127-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2452-128-0x000000000043747E-mapping.dmp	family_agenttesla
behavioral2/memory/2452-134-0x0000000005790000-0x0000000005C8E000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

REQUEST FOR QUOTE FORM.exe

description pid process target process

PID 3164 set thread context of 2452 3164 REQUEST FOR QUOTE FORM.exe REQUEST FOR QUOTE FORM.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

808 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe

pid process

3164 REQUEST FOR QUOTE FORM.exe
2452 REQUEST FOR QUOTE FORM.exe
2452 REQUEST FOR QUOTE FORM.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe

description pid process

Token: SeDebugPrivilege 3164 REQUEST FOR QUOTE FORM.exe
Token: SeDebugPrivilege 2452 REQUEST FOR QUOTE FORM.exe

description	pid	process	target process
PID 3164 set thread context of 2452	3164	REQUEST FOR QUOTE FORM.exe	REQUEST FOR QUOTE FORM.exe

pid	process
808	schtasks.exe

pid	process
3164	REQUEST FOR QUOTE FORM.exe
2452	REQUEST FOR QUOTE FORM.exe
2452	REQUEST FOR QUOTE FORM.exe

description	pid	process
Token: SeDebugPrivilege	3164	REQUEST FOR QUOTE FORM.exe
Token: SeDebugPrivilege	2452	REQUEST FOR QUOTE FORM.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

REQUEST FOR QUOTE FORM.exe

description	pid	process	target process
PID 3164 wrote to memory of 808	3164	REQUEST FOR QUOTE FORM.exe	schtasks.exe
PID 3164 wrote to memory of 808	3164	REQUEST FOR QUOTE FORM.exe	schtasks.exe
PID 3164 wrote to memory of 808	3164	REQUEST FOR QUOTE FORM.exe	schtasks.exe
PID 3164 wrote to memory of 2452	3164	REQUEST FOR QUOTE FORM.exe	REQUEST FOR QUOTE FORM.exe
PID 3164 wrote to memory of 2452	3164	REQUEST FOR QUOTE FORM.exe	REQUEST FOR QUOTE FORM.exe
PID 3164 wrote to memory of 2452	3164	REQUEST FOR QUOTE FORM.exe	REQUEST FOR QUOTE FORM.exe
PID 3164 wrote to memory of 2452	3164	REQUEST FOR QUOTE FORM.exe	REQUEST FOR QUOTE FORM.exe
PID 3164 wrote to memory of 2452	3164	REQUEST FOR QUOTE FORM.exe	REQUEST FOR QUOTE FORM.exe
PID 3164 wrote to memory of 2452	3164	REQUEST FOR QUOTE FORM.exe	REQUEST FOR QUOTE FORM.exe
PID 3164 wrote to memory of 2452	3164	REQUEST FOR QUOTE FORM.exe	REQUEST FOR QUOTE FORM.exe
PID 3164 wrote to memory of 2452	3164	REQUEST FOR QUOTE FORM.exe	REQUEST FOR QUOTE FORM.exe

C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE FORM.exe
"C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE FORM.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wfrelrS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5777.tmp"
2⤵
- Creates scheduled task(s)
PID:808

C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE FORM.exe
"C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE FORM.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\REQUEST FOR QUOTE FORM.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5777.tmp
MD5
b1bc41a0e96aad184b4adad30f12c632

SHA1
7995f3972265ce0d55b777288ecde61c92a8a71a

SHA256
a09de950ad127c38ebd160fa6eccde425eab1786376d06ae3351ca22764d62ff

SHA512
68cc3e4626ffb41830d75fa5d9e5447c317bf0446e24c453f46b793b66775b77a72a8e4bf5682f6558ebb364023482dd0a26acf89701f189fede5a67d38ba4d4

Download Submit
memory/808-125-0x0000000000000000-mapping.dmp

Download
memory/2452-136-0x00000000064F0000-0x00000000064F1000-memory.dmp

Filesize
4KB

Download
memory/2452-135-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/2452-134-0x0000000005790000-0x0000000005C8E000-memory.dmp

Filesize
5.0MB

Download
memory/2452-128-0x000000000043747E-mapping.dmp

Download
memory/2452-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3164-119-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3164-124-0x00000000076C0000-0x00000000076FC000-memory.dmp

Filesize
240KB

Download
memory/3164-123-0x0000000007640000-0x00000000076BC000-memory.dmp

Filesize
496KB

Download
memory/3164-122-0x00000000053A0000-0x00000000053BB000-memory.dmp

Filesize
108KB

Download
memory/3164-121-0x0000000005090000-0x000000000558E000-memory.dmp

Filesize
5.0MB

Download
memory/3164-120-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/3164-114-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3164-118-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/3164-117-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/3164-116-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads