agenttesla | 8433455d529340cf75bc811fe9a3526c5c8c9675659a88936155f861eb2a704d

General

Target

MAT_BAO-Document#20200627.ppt.exe
Size

616KB
MD5

9ec80f6e5410947c65a4b22a74eea652
SHA1

5267449fd604844553526e4509a2f494537589af
SHA256

91790ae3ca023feece6f78ea40830638f98b17469ddaed3e8184266f85141574
SHA512

b5ae3ad60d9083b9e0e4dd42d65319b0266102f24f10ca9bcecacea6d77f98cab264a69d872423957fbea4ba7b5b579304d595b087cd8d967e8e7896272ac35f

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bmmarine.net
Port:
587
Username:
[email protected]
Password:
h)%_GO?8$PS_erY39h

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3500-138-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MAT_BAO-Document#20200627.ppt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	MAT_BAO-Document#20200627.ppt.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

MAT_BAO-Document#20200627.ppt.exe

description pid process target process

PID 3860 set thread context of 3500 3860 MAT_BAO-Document#20200627.ppt.exe MAT_BAO-Document#20200627.ppt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2872 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

MAT_BAO-Document#20200627.ppt.exeMAT_BAO-Document#20200627.ppt.exe

pid process

3860 MAT_BAO-Document#20200627.ppt.exe
3500 MAT_BAO-Document#20200627.ppt.exe
3500 MAT_BAO-Document#20200627.ppt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MAT_BAO-Document#20200627.ppt.exeMAT_BAO-Document#20200627.ppt.exe

description pid process

Token: SeDebugPrivilege 3860 MAT_BAO-Document#20200627.ppt.exe
Token: SeDebugPrivilege 3500 MAT_BAO-Document#20200627.ppt.exe

description	pid	process	target process
PID 3860 set thread context of 3500	3860	MAT_BAO-Document#20200627.ppt.exe	MAT_BAO-Document#20200627.ppt.exe

pid	process
2872	schtasks.exe

pid	process
3860	MAT_BAO-Document#20200627.ppt.exe
3500	MAT_BAO-Document#20200627.ppt.exe
3500	MAT_BAO-Document#20200627.ppt.exe

description	pid	process
Token: SeDebugPrivilege	3860	MAT_BAO-Document#20200627.ppt.exe
Token: SeDebugPrivilege	3500	MAT_BAO-Document#20200627.ppt.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

MAT_BAO-Document#20200627.ppt.exe

description	pid	process	target process
PID 3860 wrote to memory of 2872	3860	MAT_BAO-Document#20200627.ppt.exe	schtasks.exe
PID 3860 wrote to memory of 2872	3860	MAT_BAO-Document#20200627.ppt.exe	schtasks.exe
PID 3860 wrote to memory of 2872	3860	MAT_BAO-Document#20200627.ppt.exe	schtasks.exe
PID 3860 wrote to memory of 3500	3860	MAT_BAO-Document#20200627.ppt.exe	MAT_BAO-Document#20200627.ppt.exe
PID 3860 wrote to memory of 3500	3860	MAT_BAO-Document#20200627.ppt.exe	MAT_BAO-Document#20200627.ppt.exe
PID 3860 wrote to memory of 3500	3860	MAT_BAO-Document#20200627.ppt.exe	MAT_BAO-Document#20200627.ppt.exe
PID 3860 wrote to memory of 3500	3860	MAT_BAO-Document#20200627.ppt.exe	MAT_BAO-Document#20200627.ppt.exe
PID 3860 wrote to memory of 3500	3860	MAT_BAO-Document#20200627.ppt.exe	MAT_BAO-Document#20200627.ppt.exe
PID 3860 wrote to memory of 3500	3860	MAT_BAO-Document#20200627.ppt.exe	MAT_BAO-Document#20200627.ppt.exe
PID 3860 wrote to memory of 3500	3860	MAT_BAO-Document#20200627.ppt.exe	MAT_BAO-Document#20200627.ppt.exe
PID 3860 wrote to memory of 3500	3860	MAT_BAO-Document#20200627.ppt.exe	MAT_BAO-Document#20200627.ppt.exe

C:\Users\Admin\AppData\Local\Temp\MAT_BAO-Document#20200627.ppt.exe
"C:\Users\Admin\AppData\Local\Temp\MAT_BAO-Document#20200627.ppt.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sGSyzwcjNsGTxX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp942.tmp"
2⤵
- Creates scheduled task(s)
PID:2872

C:\Users\Admin\AppData\Local\Temp\MAT_BAO-Document#20200627.ppt.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp942.tmp

Filesize
1KB

MD5
c935c157ac8e905541d91a5897c29b7c

SHA1
14873fad6e33f65a85f42e154cce9f7e369d26d3

SHA256
03367caaa1f99c491f1e45a9a172d86b589ac582f2b056a9b3e3431fc571d241

SHA512
065520c69f6bf615c8f0a9bd7cbff4c38d55d70b459784243f8c3562438b9186ade2862c40da5e5b1df8bda109a4551a1ca2f36d07e4b179f313868e0dd4537e

Download Submit
memory/2872-135-0x0000000000000000-mapping.dmp

Download
memory/3500-137-0x0000000000000000-mapping.dmp

Download
memory/3500-138-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3500-139-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/3860-130-0x0000000000F60000-0x0000000001000000-memory.dmp

Filesize
640KB

Download
memory/3860-131-0x00000000060D0000-0x0000000006674000-memory.dmp

Filesize
5.6MB

Download
memory/3860-132-0x00000000059F0000-0x0000000005A82000-memory.dmp

Filesize
584KB

Download
memory/3860-133-0x00000000059A0000-0x00000000059AA000-memory.dmp

Filesize
40KB

Download
memory/3860-134-0x00000000091F0000-0x000000000928C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads