agenttesla | dd3b902d361a2d665d9c138506fc6abf38c82d2e80050918826b0b07cbb5c392

General

Target

pedido072821.exe
Size

711KB
MD5

1786ed7eac98dd6710556dc1ce7f89eb
SHA1

c63bd5bd0586eefa1d58b8c43b0bbff36f57eae9
SHA256

8aa98bc1c4bc764c59a44eeab651813a2302ff87e555fcea986a75b031eb3b84
SHA512

ff079fa6043e24ec23e352d6c60e21e1ce7d232f6ce9c704060107de80900aaf33d6f9f3f554d9f04500e95375b69f98ee240c3ed883cd8c23b464e6d13e410d

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.zoho.com
Port:
587
Username:
[email protected]
Password:
JesusChrist007

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2068-126-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2068-127-0x00000000004375EE-mapping.dmp	family_agenttesla
behavioral1/memory/2068-133-0x00000000053A0000-0x000000000589E000-memory.dmp	family_agenttesla

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/3944-121-0x00000000058E0000-0x00000000058EB000-memory.dmp	CustAttr

Suspicious use of SetThreadContext 1 IoCs

Processes:

pedido072821.exe

description pid process target process

PID 3944 set thread context of 2068 3944 pedido072821.exe pedido072821.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3568 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pedido072821.exepedido072821.exe

pid process

3944 pedido072821.exe
3944 pedido072821.exe
3944 pedido072821.exe
3944 pedido072821.exe
2068 pedido072821.exe
2068 pedido072821.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pedido072821.exepedido072821.exe

description pid process

Token: SeDebugPrivilege 3944 pedido072821.exe
Token: SeDebugPrivilege 2068 pedido072821.exe

description	pid	process	target process
PID 3944 set thread context of 2068	3944	pedido072821.exe	pedido072821.exe

pid	process
3568	schtasks.exe

pid	process
3944	pedido072821.exe
3944	pedido072821.exe
3944	pedido072821.exe
3944	pedido072821.exe
2068	pedido072821.exe
2068	pedido072821.exe

description	pid	process
Token: SeDebugPrivilege	3944	pedido072821.exe
Token: SeDebugPrivilege	2068	pedido072821.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

pedido072821.exe

description	pid	process	target process
PID 3944 wrote to memory of 3568	3944	pedido072821.exe	schtasks.exe
PID 3944 wrote to memory of 3568	3944	pedido072821.exe	schtasks.exe
PID 3944 wrote to memory of 3568	3944	pedido072821.exe	schtasks.exe
PID 3944 wrote to memory of 4036	3944	pedido072821.exe	pedido072821.exe
PID 3944 wrote to memory of 4036	3944	pedido072821.exe	pedido072821.exe
PID 3944 wrote to memory of 4036	3944	pedido072821.exe	pedido072821.exe
PID 3944 wrote to memory of 4076	3944	pedido072821.exe	pedido072821.exe
PID 3944 wrote to memory of 4076	3944	pedido072821.exe	pedido072821.exe
PID 3944 wrote to memory of 4076	3944	pedido072821.exe	pedido072821.exe
PID 3944 wrote to memory of 2068	3944	pedido072821.exe	pedido072821.exe
PID 3944 wrote to memory of 2068	3944	pedido072821.exe	pedido072821.exe
PID 3944 wrote to memory of 2068	3944	pedido072821.exe	pedido072821.exe
PID 3944 wrote to memory of 2068	3944	pedido072821.exe	pedido072821.exe
PID 3944 wrote to memory of 2068	3944	pedido072821.exe	pedido072821.exe
PID 3944 wrote to memory of 2068	3944	pedido072821.exe	pedido072821.exe
PID 3944 wrote to memory of 2068	3944	pedido072821.exe	pedido072821.exe
PID 3944 wrote to memory of 2068	3944	pedido072821.exe	pedido072821.exe

C:\Users\Admin\AppData\Local\Temp\pedido072821.exe
"C:\Users\Admin\AppData\Local\Temp\pedido072821.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oaUtytm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD49B.tmp"
2⤵
- Creates scheduled task(s)
PID:3568

C:\Users\Admin\AppData\Local\Temp\pedido072821.exe
"C:\Users\Admin\AppData\Local\Temp\pedido072821.exe"
2⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\pedido072821.exe
"C:\Users\Admin\AppData\Local\Temp\pedido072821.exe"
2⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\pedido072821.exe
"C:\Users\Admin\AppData\Local\Temp\pedido072821.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pedido072821.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD49B.tmp
MD5
e51cc70e66deb76963d35adae56295d9

SHA1
4fd557e04efb23ad48979dfa0e0ba00da6e04869

SHA256
1252600d83414f1d9bba409f15472226fc6e7ef5835808810ece2660458f634b

SHA512
9a579bb9e3d161a85e3a27e6940441a41313386a8b29fde9c19a349e52d6e5bc560df9e2f0b384a95e4ff04107780dbd8aee8fad9f1b463bdc9cbd41eb0a56d2

Download Submit
memory/2068-135-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/2068-134-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/2068-133-0x00000000053A0000-0x000000000589E000-memory.dmp

Filesize
5.0MB

Download
memory/2068-127-0x00000000004375EE-mapping.dmp

Download
memory/2068-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3568-124-0x0000000000000000-mapping.dmp

Download
memory/3944-119-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/3944-123-0x0000000007E70000-0x0000000007EA9000-memory.dmp

Filesize
228KB

Download
memory/3944-122-0x0000000007DF0000-0x0000000007E6D000-memory.dmp

Filesize
500KB

Download
memory/3944-121-0x00000000058E0000-0x00000000058EB000-memory.dmp

Filesize
44KB

Download
memory/3944-120-0x0000000005620000-0x0000000005B1E000-memory.dmp

Filesize
5.0MB

Download
memory/3944-114-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/3944-118-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/3944-117-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/3944-116-0x0000000005B20000-0x0000000005B21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads