agenttesla | e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0

General

Target

e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe
Size

756KB
MD5

f102830b868ee3c2a5c50831d0848052
SHA1

6040522ab7642bea1555995c7b43906dcee46173
SHA256

e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0
SHA512

b77c2fd5bc2ec52064be214954e5010accfa785463cabca7ae2b07893f2541ca66b66a95cab9d32f90158dcf8244096051d6674e0f1020a2c9cab72523588df2

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
mmm777

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 6 IoCs

resource	yara_rule
behavioral1/memory/1668-63-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1668-65-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1668-64-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1668-66-0x000000000043785E-mapping.dmp	family_agenttesla
behavioral1/memory/1668-68-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1668-70-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 684 set thread context of 1668	684	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1668	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe
1668	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 1408	684	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe	28
PID 684 wrote to memory of 1408	684	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe	28
PID 684 wrote to memory of 1408	684	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe	28
PID 684 wrote to memory of 1408	684	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe	28
PID 684 wrote to memory of 1668	684	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe	30
PID 684 wrote to memory of 1668	684	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe	30
PID 684 wrote to memory of 1668	684	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe	30
PID 684 wrote to memory of 1668	684	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe	30
PID 684 wrote to memory of 1668	684	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe	30
PID 684 wrote to memory of 1668	684	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe	30
PID 684 wrote to memory of 1668	684	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe	30
PID 684 wrote to memory of 1668	684	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe	30
PID 684 wrote to memory of 1668	684	e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe	30

C:\Users\Admin\AppData\Local\Temp\e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe
"C:\Users\Admin\AppData\Local\Temp\e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Jrqpij" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA78.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1408
- C:\Users\Admin\AppData\Local\Temp\e484d01f9c3885794ba1fbd44760b61fe779cb0a5deccaa0b191e04f6f9810c0.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDA78.tmp

Filesize
1KB

MD5
013282ef236015c3d48d4e3d5a218a7d

SHA1
3154903a3b2a8d3f7a565c7f5721a50ecb5b99ca

SHA256
4582254dac32d24c9428d0aa204dbe36667d8dccf9bc05a30c4a989ff4f44e29

SHA512
237d6f2488cb5ebb13d703068a512221cb12da102e15a8230568c85fbdde1d6520186671054613d72d8a33b1bffaaeb2ba21dfefab8d93368b8e01facc8a1c6b

Download Submit
memory/684-54-0x00000000010F0000-0x00000000011B4000-memory.dmp

Filesize
784KB

Download
memory/684-55-0x0000000000A80000-0x0000000000AEC000-memory.dmp

Filesize
432KB

Download
memory/684-56-0x0000000000BB0000-0x0000000000BCC000-memory.dmp

Filesize
112KB

Download
memory/684-57-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/1668-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1668-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1668-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1668-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1668-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1668-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1668-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads