agenttesla | eb1663b21e6050e58b9daaadce02cd04cbc82018cfaf664d6bff162b7c903fc3

General

Target

DOCUMENTS pdf.exe
Size

783KB
MD5

0f22eacae1316be03f6829946306b593
SHA1

3a3d3297ae8b1e96bc0fda3502a58d69447a2577
SHA256

b6cbbb6a53fb168a24f6a2f4bbf296547e5ece0314e2b9c21d6662af66a3ac4a
SHA512

3b74d936eb6faeab8ea2b37aee1bf90ee54e76a0e37f8ba08d2580908cb648d19da89720a51e5475298abfdab969a474f6145157e5b2662767f7a05795ab6e36

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/896-64-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1524 schtasks.exe

pid	process
1524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DOCUMENTS pdf.exe

pid	process
976	DOCUMENTS pdf.exe
976	DOCUMENTS pdf.exe
976	DOCUMENTS pdf.exe
976	DOCUMENTS pdf.exe
976	DOCUMENTS pdf.exe
976	DOCUMENTS pdf.exe
976	DOCUMENTS pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DOCUMENTS pdf.exe

description pid process

Token: SeDebugPrivilege 976 DOCUMENTS pdf.exe

description	pid	process
Token: SeDebugPrivilege	976	DOCUMENTS pdf.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

DOCUMENTS pdf.exe

description	pid	process	target process
PID 976 wrote to memory of 1524	976	DOCUMENTS pdf.exe	schtasks.exe
PID 976 wrote to memory of 1524	976	DOCUMENTS pdf.exe	schtasks.exe
PID 976 wrote to memory of 1524	976	DOCUMENTS pdf.exe	schtasks.exe
PID 976 wrote to memory of 1524	976	DOCUMENTS pdf.exe	schtasks.exe
PID 976 wrote to memory of 896	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 896	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 896	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 896	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 896	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 896	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 896	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 896	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 896	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 896	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 648	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 648	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 648	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 648	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 648	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 648	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 648	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 648	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 648	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 648	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1928	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1928	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1928	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1928	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1928	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1928	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1928	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1928	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1928	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1928	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 672	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 672	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 672	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 672	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 672	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 672	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 672	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 672	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 672	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 672	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1640	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1640	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1640	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1640	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1640	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1640	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1640	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1640	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1640	976	DOCUMENTS pdf.exe	RegSvcs.exe
PID 976 wrote to memory of 1640	976	DOCUMENTS pdf.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\DOCUMENTS pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DOCUMENTS pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp478C.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp478C.tmp

Filesize
1KB

MD5
dc436ff5b60ef8168376c73a193ed25c

SHA1
0943c8a1a0851b7b79d31fadb488cce2e0444638

SHA256
949ee6cece73e1304479fc963d79d2fd8e6410f451c1ce0ae6fd6e1b40b70705

SHA512
1f66711762ef86444a1e4edd5e3105b2ca5e83ec72bc6c2e04c7b5a9de1f50df3a6a85c75fc54003e4ebb0c9d8061455a6ef2e544726536592fb32dbf99736bd

Download Submit
memory/896-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/896-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/896-64-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/976-54-0x0000000000B50000-0x0000000000C1A000-memory.dmp

Filesize
808KB

Download
memory/976-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/976-56-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/976-57-0x0000000005BF0000-0x0000000005C5E000-memory.dmp

Filesize
440KB

Download
memory/976-58-0x0000000004360000-0x00000000043B6000-memory.dmp

Filesize
344KB

Download
memory/1524-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads