agenttesla | 1fce43899f8b6267ca55c5f4ad85a48a191f130d936dabeae013f5d626068ece

General

Target

0c46c876f6b444739b4f4cbf6fc9a2f5.exe
Size

683KB
MD5

0c46c876f6b444739b4f4cbf6fc9a2f5
SHA1

e241ae919b6554eb5c556a88ca2d7ca2eeb4ff98
SHA256

1fce43899f8b6267ca55c5f4ad85a48a191f130d936dabeae013f5d626068ece
SHA512

fc2b4820ceb210ca4d210209157468f6437564edf50b1341524d428efcf18ec9a5ac3064e4af443ed3d68786260bce56f130ca082c730ba4c5536956aa0eae45

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
davide.montorro@arss-it.me
Password:
HOPEFULYETLost@1989

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3760-126-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3760-127-0x00000000004374DE-mapping.dmp	family_agenttesla
behavioral2/memory/3760-133-0x0000000005610000-0x0000000005B0E000-memory.dmp	family_agenttesla

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/568-121-0x00000000051B0000-0x00000000051BB000-memory.dmp	CustAttr

Suspicious use of SetThreadContext 1 IoCs

Processes:

0c46c876f6b444739b4f4cbf6fc9a2f5.exe

description pid process target process

PID 568 set thread context of 3760 568 0c46c876f6b444739b4f4cbf6fc9a2f5.exe 0c46c876f6b444739b4f4cbf6fc9a2f5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1252 schtasks.exe

description	pid	process	target process
PID 568 set thread context of 3760	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe

pid	process
1252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

0c46c876f6b444739b4f4cbf6fc9a2f5.exe0c46c876f6b444739b4f4cbf6fc9a2f5.exe

pid	process
568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
3760	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
3760	0c46c876f6b444739b4f4cbf6fc9a2f5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0c46c876f6b444739b4f4cbf6fc9a2f5.exe0c46c876f6b444739b4f4cbf6fc9a2f5.exe

description pid process

Token: SeDebugPrivilege 568 0c46c876f6b444739b4f4cbf6fc9a2f5.exe
Token: SeDebugPrivilege 3760 0c46c876f6b444739b4f4cbf6fc9a2f5.exe

description	pid	process
Token: SeDebugPrivilege	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
Token: SeDebugPrivilege	3760	0c46c876f6b444739b4f4cbf6fc9a2f5.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

0c46c876f6b444739b4f4cbf6fc9a2f5.exe

C:\Users\Admin\AppData\Local\Temp\0c46c876f6b444739b4f4cbf6fc9a2f5.exe
"C:\Users\Admin\AppData\Local\Temp\0c46c876f6b444739b4f4cbf6fc9a2f5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuBDqznBlL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB5F.tmp"
2⤵
- Creates scheduled task(s)
PID:1252

C:\Users\Admin\AppData\Local\Temp\0c46c876f6b444739b4f4cbf6fc9a2f5.exe
"C:\Users\Admin\AppData\Local\Temp\0c46c876f6b444739b4f4cbf6fc9a2f5.exe"
2⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\0c46c876f6b444739b4f4cbf6fc9a2f5.exe
"C:\Users\Admin\AppData\Local\Temp\0c46c876f6b444739b4f4cbf6fc9a2f5.exe"
2⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\0c46c876f6b444739b4f4cbf6fc9a2f5.exe
"C:\Users\Admin\AppData\Local\Temp\0c46c876f6b444739b4f4cbf6fc9a2f5.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0c46c876f6b444739b4f4cbf6fc9a2f5.exe.log
MD5
c3cc52ccca9ff2b6fa8d267fc350ca6b

SHA1
a68d4028333296d222e4afd75dea36fdc98d05f3

SHA256
3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

SHA512
b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB5F.tmp
MD5
d0585be4e72afa5cb7cb269441a71ce3

SHA1
16d7e619c80018fa421a9cb13c189170e3113685

SHA256
9309aead94c4934684a0af5f9df1154e1958fc8be42d5130731197665061966d

SHA512
8b67390085c53480f11f682f10cf4132848ac16d78e6cabceab6543e7455b1aeb67269aba15109d0d9d090004908bfead77231eb5d59cc087fdd60af1f121547

Download Submit
memory/568-123-0x0000000007680000-0x00000000076BD000-memory.dmp

Filesize
244KB

Download
memory/568-116-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/568-119-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/568-120-0x0000000004F90000-0x000000000548E000-memory.dmp

Filesize
5.0MB

Download
memory/568-121-0x00000000051B0000-0x00000000051BB000-memory.dmp

Filesize
44KB

Download
memory/568-122-0x00000000075F0000-0x0000000007672000-memory.dmp

Filesize
520KB

Download
memory/568-114-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/568-118-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/568-117-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/1252-124-0x0000000000000000-mapping.dmp

Download
memory/3760-127-0x00000000004374DE-mapping.dmp

Download
memory/3760-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3760-133-0x0000000005610000-0x0000000005B0E000-memory.dmp

Filesize
5.0MB

Download
memory/3760-134-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/3760-135-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 568 wrote to memory of 1252	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	schtasks.exe
PID 568 wrote to memory of 1252	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	schtasks.exe
PID 568 wrote to memory of 1252	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	schtasks.exe
PID 568 wrote to memory of 1120	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
PID 568 wrote to memory of 1120	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
PID 568 wrote to memory of 1120	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
PID 568 wrote to memory of 3792	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
PID 568 wrote to memory of 3792	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
PID 568 wrote to memory of 3792	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
PID 568 wrote to memory of 3760	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
PID 568 wrote to memory of 3760	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
PID 568 wrote to memory of 3760	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
PID 568 wrote to memory of 3760	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
PID 568 wrote to memory of 3760	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
PID 568 wrote to memory of 3760	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
PID 568 wrote to memory of 3760	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe
PID 568 wrote to memory of 3760	568	0c46c876f6b444739b4f4cbf6fc9a2f5.exe	0c46c876f6b444739b4f4cbf6fc9a2f5.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads