agenttesla | c37506485694a1440ecbf47a0084a3691084e0869abb163f353fe081e1c49670

General

Target

vbc.exe
Size

816KB
MD5

f1119af41aa1a22ea18df0c7b51aac11
SHA1

22c83312287db61ecfe83256f44b99be4ac25919
SHA256

c37506485694a1440ecbf47a0084a3691084e0869abb163f353fe081e1c49670
SHA512

12324f2a6fea3f0d27e62f6f4348a3aff5740a8ca886f0f3629c1d16843909f35d8444b70ed57fd739aac5ba1c60902819f9bd0dd7443603977dba71f7857b7a

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.enerzi.co
Port:
587
Username:
[email protected]
Password:
Enerzis@123!#

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2552-117-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2552-118-0x00000000004375DE-mapping.dmp	family_agenttesla

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 2108 set thread context of 2552 2108 vbc.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3772 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vbc.exedw20.exe

pid process

2108 vbc.exe
2108 vbc.exe
1796 dw20.exe
1796 dw20.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exedw20.exe

description pid process

Token: SeDebugPrivilege 2108 vbc.exe
Token: SeRestorePrivilege 1796 dw20.exe
Token: SeBackupPrivilege 1796 dw20.exe

description	pid	process	target process
PID 2108 set thread context of 2552	2108	vbc.exe	vbc.exe

pid	process
3772	schtasks.exe

pid	process
2108	vbc.exe
2108	vbc.exe
1796	dw20.exe
1796	dw20.exe

description	pid	process
Token: SeDebugPrivilege	2108	vbc.exe
Token: SeRestorePrivilege	1796	dw20.exe
Token: SeBackupPrivilege	1796	dw20.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

vbc.exevbc.exe

description	pid	process	target process
PID 2108 wrote to memory of 3772	2108	vbc.exe	schtasks.exe
PID 2108 wrote to memory of 3772	2108	vbc.exe	schtasks.exe
PID 2108 wrote to memory of 3772	2108	vbc.exe	schtasks.exe
PID 2108 wrote to memory of 2552	2108	vbc.exe	vbc.exe
PID 2108 wrote to memory of 2552	2108	vbc.exe	vbc.exe
PID 2108 wrote to memory of 2552	2108	vbc.exe	vbc.exe
PID 2108 wrote to memory of 2552	2108	vbc.exe	vbc.exe
PID 2108 wrote to memory of 2552	2108	vbc.exe	vbc.exe
PID 2108 wrote to memory of 2552	2108	vbc.exe	vbc.exe
PID 2108 wrote to memory of 2552	2108	vbc.exe	vbc.exe
PID 2108 wrote to memory of 2552	2108	vbc.exe	vbc.exe
PID 2552 wrote to memory of 1796	2552	vbc.exe	dw20.exe
PID 2552 wrote to memory of 1796	2552	vbc.exe	dw20.exe
PID 2552 wrote to memory of 1796	2552	vbc.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gzjBwHgX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6EA4.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3772
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 696
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\vbc.exe.log

MD5
ef140ef600b2463c9e7dbf064a104046

SHA1
c08fd1853877be95575ea2e860dd8cafef31f54c

SHA256
ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616

SHA512
bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c

Download Submit
memory/1796-120-0x0000000000000000-mapping.dmp

Download
memory/2108-115-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/2552-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2552-118-0x00000000004375DE-mapping.dmp

Download
memory/2552-121-0x0000000001450000-0x0000000001451000-memory.dmp

Filesize
4KB

Download
memory/3772-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads