agenttesla | feb91cde2c89cdf45cd078485f4f98683c11ec7d5a044a73968d31c2dcaa7e81

General

Target

UPDATED DN.exe
Size

928KB
MD5

c0059f77c623451c9b85287c735df32f
SHA1

e1dcab797de118082168f787835e67324cca9b7a
SHA256

feb91cde2c89cdf45cd078485f4f98683c11ec7d5a044a73968d31c2dcaa7e81
SHA512

86728230a7835b7ca1a0df7e5f78d3ac25071c88146d39513bc5f9f4bfd1684476ece1df33169a3ac7f4313b427a8bd4890cbd2316aacb86522f26049e979167

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.manlogistics.in
Port:
587
Username:
dilip.somkuwar@manlogistics.in
Password:
Ma&*$367Jhn

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2968-119-0x0000000000400000-0x000000000047E000-memory.dmp	family_agenttesla
behavioral2/memory/2968-120-0x00000000004376FE-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

UPDATED DN.exe

description pid process target process

PID 3984 set thread context of 2968 3984 UPDATED DN.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3872 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dw20.exe

pid process

2812 dw20.exe
2812 dw20.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dw20.exe

description pid process

Token: SeRestorePrivilege 2812 dw20.exe
Token: SeBackupPrivilege 2812 dw20.exe

description	pid	process	target process
PID 3984 set thread context of 2968	3984	UPDATED DN.exe	RegSvcs.exe

pid	process
3872	schtasks.exe

pid	process
2812	dw20.exe
2812	dw20.exe

description	pid	process
Token: SeRestorePrivilege	2812	dw20.exe
Token: SeBackupPrivilege	2812	dw20.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

UPDATED DN.exeRegSvcs.exe

description	pid	process	target process
PID 3984 wrote to memory of 3872	3984	UPDATED DN.exe	schtasks.exe
PID 3984 wrote to memory of 3872	3984	UPDATED DN.exe	schtasks.exe
PID 3984 wrote to memory of 3872	3984	UPDATED DN.exe	schtasks.exe
PID 3984 wrote to memory of 2968	3984	UPDATED DN.exe	RegSvcs.exe
PID 3984 wrote to memory of 2968	3984	UPDATED DN.exe	RegSvcs.exe
PID 3984 wrote to memory of 2968	3984	UPDATED DN.exe	RegSvcs.exe
PID 3984 wrote to memory of 2968	3984	UPDATED DN.exe	RegSvcs.exe
PID 3984 wrote to memory of 2968	3984	UPDATED DN.exe	RegSvcs.exe
PID 3984 wrote to memory of 2968	3984	UPDATED DN.exe	RegSvcs.exe
PID 3984 wrote to memory of 2968	3984	UPDATED DN.exe	RegSvcs.exe
PID 3984 wrote to memory of 2968	3984	UPDATED DN.exe	RegSvcs.exe
PID 2968 wrote to memory of 2812	2968	RegSvcs.exe	dw20.exe
PID 2968 wrote to memory of 2812	2968	RegSvcs.exe	dw20.exe
PID 2968 wrote to memory of 2812	2968	RegSvcs.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\UPDATED DN.exe
"C:\Users\Admin\AppData\Local\Temp\UPDATED DN.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xwUnvexrqIZOUN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8681.tmp"
2⤵
- Creates scheduled task(s)
PID:3872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 708
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8681.tmp
MD5
643dead05af530421457eea83bd4f035

SHA1
84ce47a071e078a58f115ba3349889a013dace27

SHA256
d42b44d035dde6bcb55921894b41220833790509bdfabc08efd864a819ec3709

SHA512
17c2a2c9315eb43a2eedf7d948d3fb5ddf915fd55d85fe5b608d879e1365f36f7cc8852bdbd725abea02d9a8a819bdfaaa903bd2f4fd8ed73ee9074bf3ab338e

Download Submit
memory/2812-121-0x0000000000000000-mapping.dmp

Download
memory/2968-119-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2968-120-0x00000000004376FE-mapping.dmp

Download
memory/2968-122-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3872-117-0x0000000000000000-mapping.dmp

Download
memory/3984-115-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/3984-116-0x0000000002772000-0x0000000002774000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads