agenttesla | feb91cde2c89cdf45cd078485f4f98683c11ec7d5a044a73968d31c2dcaa7e81

General

Target

UPDATED DN.exe
Size

928KB
MD5

c0059f77c623451c9b85287c735df32f
SHA1

e1dcab797de118082168f787835e67324cca9b7a
SHA256

feb91cde2c89cdf45cd078485f4f98683c11ec7d5a044a73968d31c2dcaa7e81
SHA512

86728230a7835b7ca1a0df7e5f78d3ac25071c88146d39513bc5f9f4bfd1684476ece1df33169a3ac7f4313b427a8bd4890cbd2316aacb86522f26049e979167

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.manlogistics.in
Port:
587
Username:
[email protected]
Password:
Ma&*$367Jhn

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1908-61-0x0000000000400000-0x000000000047E000-memory.dmp	family_agenttesla
behavioral1/memory/1908-62-0x0000000000400000-0x000000000047E000-memory.dmp	family_agenttesla
behavioral1/memory/1908-63-0x0000000000400000-0x000000000047E000-memory.dmp	family_agenttesla
behavioral1/memory/1908-64-0x00000000004376FE-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

UPDATED DN.exe

description pid process target process

PID 528 set thread context of 1908 528 UPDATED DN.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1724 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

UPDATED DN.exe

pid process

528 UPDATED DN.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dw20.exe

pid process

1164 dw20.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

UPDATED DN.exe

description pid process

Token: SeDebugPrivilege 528 UPDATED DN.exe

description	pid	process	target process
PID 528 set thread context of 1908	528	UPDATED DN.exe	RegSvcs.exe

pid	process
1724	schtasks.exe

pid	process
528	UPDATED DN.exe

pid	process
1164	dw20.exe

description	pid	process
Token: SeDebugPrivilege	528	UPDATED DN.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

UPDATED DN.exeRegSvcs.exe

description	pid	process	target process
PID 528 wrote to memory of 1724	528	UPDATED DN.exe	schtasks.exe
PID 528 wrote to memory of 1724	528	UPDATED DN.exe	schtasks.exe
PID 528 wrote to memory of 1724	528	UPDATED DN.exe	schtasks.exe
PID 528 wrote to memory of 1724	528	UPDATED DN.exe	schtasks.exe
PID 528 wrote to memory of 1908	528	UPDATED DN.exe	RegSvcs.exe
PID 528 wrote to memory of 1908	528	UPDATED DN.exe	RegSvcs.exe
PID 528 wrote to memory of 1908	528	UPDATED DN.exe	RegSvcs.exe
PID 528 wrote to memory of 1908	528	UPDATED DN.exe	RegSvcs.exe
PID 528 wrote to memory of 1908	528	UPDATED DN.exe	RegSvcs.exe
PID 528 wrote to memory of 1908	528	UPDATED DN.exe	RegSvcs.exe
PID 528 wrote to memory of 1908	528	UPDATED DN.exe	RegSvcs.exe
PID 528 wrote to memory of 1908	528	UPDATED DN.exe	RegSvcs.exe
PID 528 wrote to memory of 1908	528	UPDATED DN.exe	RegSvcs.exe
PID 528 wrote to memory of 1908	528	UPDATED DN.exe	RegSvcs.exe
PID 528 wrote to memory of 1908	528	UPDATED DN.exe	RegSvcs.exe
PID 528 wrote to memory of 1908	528	UPDATED DN.exe	RegSvcs.exe
PID 1908 wrote to memory of 1164	1908	RegSvcs.exe	dw20.exe
PID 1908 wrote to memory of 1164	1908	RegSvcs.exe	dw20.exe
PID 1908 wrote to memory of 1164	1908	RegSvcs.exe	dw20.exe
PID 1908 wrote to memory of 1164	1908	RegSvcs.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\UPDATED DN.exe
"C:\Users\Admin\AppData\Local\Temp\UPDATED DN.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xwUnvexrqIZOUN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAED5.tmp"
2⤵
- Creates scheduled task(s)
PID:1724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 388
3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1164

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAED5.tmp
MD5
900c422beb885ac40d80311eae16b4d7

SHA1
89e9e3a30370a907a2a7291535122cf3c19f6370

SHA256
61d39cd10e20acbb70bcc99de3bb474be623a59c506fcf2f17bf4380ecfbbc33

SHA512
5aea082224ad14d99872aef28e16ba6695576b220e9eaf665e6ea21f2af4eec597478bf63fd4e6abf1b7c1f6195a77df4dd7e21db315b2c54c631a46720ec911

Download Submit
memory/528-55-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/528-56-0x0000000000761000-0x0000000000762000-memory.dmp

Filesize
4KB

Download
memory/528-54-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download
memory/1164-66-0x0000000000000000-mapping.dmp

Download
memory/1164-69-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1724-57-0x0000000000000000-mapping.dmp

Download
memory/1908-59-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1908-62-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1908-63-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1908-64-0x00000000004376FE-mapping.dmp

Download
memory/1908-61-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1908-68-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1908-60-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads