agenttesla | d19edc2ae1e9d8c99b477c45960499e400afaad377a85475af9eebfc752cecd0

General

Target

fda.exe
Size

840KB
MD5

8222e7bd5783b30d0a64b6f9e1aec2ab
SHA1

f8a8ba5d2dcffffe488c345134e324c97652d000
SHA256

d19edc2ae1e9d8c99b477c45960499e400afaad377a85475af9eebfc752cecd0
SHA512

e48b583915e4102173de672435af083ede63979030358dc60976f418ea0f860621c9d618733f694c8fd6e1bba6f8406ce587db4548262e0cac98e9cef67ed56a

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.vivaldi.net
Port:
587
Username:
faithkingsley@vivaldi.net
Password:
kingsofkings123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3812-126-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3812-127-0x000000000043782E-mapping.dmp	family_agenttesla
behavioral2/memory/3812-132-0x00000000051E0000-0x00000000056DE000-memory.dmp	family_agenttesla
behavioral2/memory/3812-137-0x00000000051E0000-0x00000000056DE000-memory.dmp	family_agenttesla

Drops file in Drivers directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLxES = "C:\\Users\\Admin\\AppData\\Roaming\\DLxES\\DLxES.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fda.exe

description pid process target process

PID 2256 set thread context of 3812 2256 fda.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3968 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

fda.exeRegSvcs.exe

pid process

2256 fda.exe
3812 RegSvcs.exe
3812 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fda.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 2256 fda.exe
Token: SeDebugPrivilege 3812 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

3812 RegSvcs.exe

description	pid	process	target process
PID 2256 set thread context of 3812	2256	fda.exe	RegSvcs.exe

pid	process
3968	schtasks.exe

pid	process
2256	fda.exe
3812	RegSvcs.exe
3812	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2256	fda.exe
Token: SeDebugPrivilege	3812	RegSvcs.exe

pid	process
3812	RegSvcs.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

fda.exe

description	pid	process	target process
PID 2256 wrote to memory of 3968	2256	fda.exe	schtasks.exe
PID 2256 wrote to memory of 3968	2256	fda.exe	schtasks.exe
PID 2256 wrote to memory of 3968	2256	fda.exe	schtasks.exe
PID 2256 wrote to memory of 3812	2256	fda.exe	RegSvcs.exe
PID 2256 wrote to memory of 3812	2256	fda.exe	RegSvcs.exe
PID 2256 wrote to memory of 3812	2256	fda.exe	RegSvcs.exe
PID 2256 wrote to memory of 3812	2256	fda.exe	RegSvcs.exe
PID 2256 wrote to memory of 3812	2256	fda.exe	RegSvcs.exe
PID 2256 wrote to memory of 3812	2256	fda.exe	RegSvcs.exe
PID 2256 wrote to memory of 3812	2256	fda.exe	RegSvcs.exe
PID 2256 wrote to memory of 3812	2256	fda.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\fda.exe
"C:\Users\Admin\AppData\Local\Temp\fda.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KDJpNdSGbsgn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFFC.tmp"
2⤵
- Creates scheduled task(s)
PID:3968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3812

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAFFC.tmp
MD5
ce17912e14fff31eaba8136a0ebd1012

SHA1
5ed91730c2dd321ea7fa2fc4f93fe2b1e2c5e463

SHA256
b40f6c8a21db98d8b88f659b45e45a4a99e73c1c467bf76956cb69f4361df8c1

SHA512
a9d59719d452c714b99c85e8b6e0216862328d8c8383fcb75bef13d0ef85457027ef90084b8b265471c8dea8ccad9e5c9d6679a50391a3f3a7c21d0d1b76d1a8

Download Submit
memory/2256-123-0x000000000A1F0000-0x000000000A24A000-memory.dmp

Filesize
360KB

Download
memory/2256-116-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/2256-118-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/2256-119-0x0000000005420000-0x000000000591E000-memory.dmp

Filesize
5.0MB

Download
memory/2256-114-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/2256-121-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/2256-117-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/2256-122-0x0000000007B30000-0x0000000007BCF000-memory.dmp

Filesize
636KB

Download
memory/2256-120-0x00000000056D0000-0x00000000056D2000-memory.dmp

Filesize
8KB

Download
memory/3812-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3812-127-0x000000000043782E-mapping.dmp

Download
memory/3812-132-0x00000000051E0000-0x00000000056DE000-memory.dmp

Filesize
5.0MB

Download
memory/3812-133-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/3812-134-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/3812-137-0x00000000051E0000-0x00000000056DE000-memory.dmp

Filesize
5.0MB

Download
memory/3968-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads