agenttesla | a6229790b0a76fded9219434078e2ba9349cd636ee4fa6c633d0779a464c07f7

General

Target

ENQUIRY.exe
Size

570KB
MD5

dfc7cff14929dc6879d88a2c514bfef8
SHA1

319f1833848a98c976c1eb074af16a52ee4d1433
SHA256

a6229790b0a76fded9219434078e2ba9349cd636ee4fa6c633d0779a464c07f7
SHA512

452237738c52331f7dce3d5d6da93464a7be47c4ffe1d782958c562beed0021717465fda0db9115392a4766f2b8f7ef0ccd89645e2b7d8b4fe75ac3ccb70d85b

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.aldhiyafainteriors.com
Port:
587
Username:
rahman@aldhiyafainteriors.com
Password:
dhiyafa@987

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3600-119-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3600-120-0x00000000004376CE-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

ENQUIRY.exe

description pid process target process

PID 3176 set thread context of 3600 3176 ENQUIRY.exe ENQUIRY.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2236 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ENQUIRY.exedw20.exe

pid process

3176 ENQUIRY.exe
1384 dw20.exe
1384 dw20.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ENQUIRY.exedw20.exe

description pid process

Token: SeDebugPrivilege 3176 ENQUIRY.exe
Token: SeRestorePrivilege 1384 dw20.exe
Token: SeBackupPrivilege 1384 dw20.exe

description	pid	process	target process
PID 3176 set thread context of 3600	3176	ENQUIRY.exe	ENQUIRY.exe

pid	process
2236	schtasks.exe

pid	process
3176	ENQUIRY.exe
1384	dw20.exe
1384	dw20.exe

description	pid	process
Token: SeDebugPrivilege	3176	ENQUIRY.exe
Token: SeRestorePrivilege	1384	dw20.exe
Token: SeBackupPrivilege	1384	dw20.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ENQUIRY.exeENQUIRY.exe

description	pid	process	target process
PID 3176 wrote to memory of 2236	3176	ENQUIRY.exe	schtasks.exe
PID 3176 wrote to memory of 2236	3176	ENQUIRY.exe	schtasks.exe
PID 3176 wrote to memory of 2236	3176	ENQUIRY.exe	schtasks.exe
PID 3176 wrote to memory of 3600	3176	ENQUIRY.exe	ENQUIRY.exe
PID 3176 wrote to memory of 3600	3176	ENQUIRY.exe	ENQUIRY.exe
PID 3176 wrote to memory of 3600	3176	ENQUIRY.exe	ENQUIRY.exe
PID 3176 wrote to memory of 3600	3176	ENQUIRY.exe	ENQUIRY.exe
PID 3176 wrote to memory of 3600	3176	ENQUIRY.exe	ENQUIRY.exe
PID 3176 wrote to memory of 3600	3176	ENQUIRY.exe	ENQUIRY.exe
PID 3176 wrote to memory of 3600	3176	ENQUIRY.exe	ENQUIRY.exe
PID 3176 wrote to memory of 3600	3176	ENQUIRY.exe	ENQUIRY.exe
PID 3600 wrote to memory of 1384	3600	ENQUIRY.exe	dw20.exe
PID 3600 wrote to memory of 1384	3600	ENQUIRY.exe	dw20.exe
PID 3600 wrote to memory of 1384	3600	ENQUIRY.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\ENQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\ENQUIRY.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qhikTxSZJsELY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5F52.tmp"
2⤵
- Creates scheduled task(s)
PID:2236

C:\Users\Admin\AppData\Local\Temp\ENQUIRY.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 696
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ENQUIRY.exe.log
MD5
568e6f2b186c39075772d775e4189f57

SHA1
02f642cfdd1491b1ce69e81925ed336975e2f972

SHA256
d29bbfbb510acd8716133feeade8f914076963ccc38abb4b5a64a8d32bac44e4

SHA512
ef3b7f6d6b355c41ca9abb40d769622ea3f79787d8d2501ad5a135fa5cc78712175190386c8e05ee863a3bc046bc09eee22310555d31e4d57a4652f280283156

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5F52.tmp
MD5
bd91f08913ab041aee2ccfc660acee29

SHA1
e59e59c9a51b3882908d4f5e077e205879da66f7

SHA256
0b5bcebe46f1999ce00590b0d50c894215317ac48d62d0b86ab9c14b62f34809

SHA512
28ee8dc24703648c073219b2f864203a680ebe444acbcbd0e96a610fd7e5a374ecd1dab791b20c43b74436d1e71d842f35bdf33097a70f04276d38204ed48b18

Download Submit
memory/1384-122-0x0000000000000000-mapping.dmp

Download
memory/2236-117-0x0000000000000000-mapping.dmp

Download
memory/3176-115-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/3176-116-0x00000000024B2000-0x00000000024B4000-memory.dmp

Filesize
8KB

Download
memory/3600-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3600-120-0x00000000004376CE-mapping.dmp

Download
memory/3600-123-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads