agenttesla | 65b7b3eb15b6563c277b66fedf41af12c9d3a1d909d41943089b8282103299ce

General

Target

New Orders- POB0.pdf.exe
Size

783KB
MD5

0f22eacae1316be03f6829946306b593
SHA1

3a3d3297ae8b1e96bc0fda3502a58d69447a2577
SHA256

b6cbbb6a53fb168a24f6a2f4bbf296547e5ece0314e2b9c21d6662af66a3ac4a
SHA512

3b74d936eb6faeab8ea2b37aee1bf90ee54e76a0e37f8ba08d2580908cb648d19da89720a51e5475298abfdab969a474f6145157e5b2662767f7a05795ab6e36

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1008-64-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

640 schtasks.exe

pid	process
640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

New Orders- POB0.pdf.exe

pid	process
1968	New Orders- POB0.pdf.exe
1968	New Orders- POB0.pdf.exe
1968	New Orders- POB0.pdf.exe
1968	New Orders- POB0.pdf.exe
1968	New Orders- POB0.pdf.exe
1968	New Orders- POB0.pdf.exe
1968	New Orders- POB0.pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

New Orders- POB0.pdf.exe

description pid process

Token: SeDebugPrivilege 1968 New Orders- POB0.pdf.exe

description	pid	process
Token: SeDebugPrivilege	1968	New Orders- POB0.pdf.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

New Orders- POB0.pdf.exe

description	pid	process	target process
PID 1968 wrote to memory of 640	1968	New Orders- POB0.pdf.exe	schtasks.exe
PID 1968 wrote to memory of 640	1968	New Orders- POB0.pdf.exe	schtasks.exe
PID 1968 wrote to memory of 640	1968	New Orders- POB0.pdf.exe	schtasks.exe
PID 1968 wrote to memory of 640	1968	New Orders- POB0.pdf.exe	schtasks.exe
PID 1968 wrote to memory of 1008	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1008	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1008	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1008	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1008	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1008	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1008	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1008	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1008	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1008	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 888	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 888	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 888	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 888	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 888	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 888	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 888	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 880	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 880	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 880	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 880	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 880	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 880	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 880	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1824	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1824	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1824	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1824	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1824	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1824	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1824	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1980	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1980	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1980	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1980	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1980	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1980	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1980	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1980	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1980	1968	New Orders- POB0.pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 1980	1968	New Orders- POB0.pdf.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\New Orders- POB0.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\New Orders- POB0.pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA3CF.tmp"
2⤵
- Creates scheduled task(s)
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1980

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA3CF.tmp
Filesize
1KB

MD5
dc436ff5b60ef8168376c73a193ed25c

SHA1
0943c8a1a0851b7b79d31fadb488cce2e0444638

SHA256
949ee6cece73e1304479fc963d79d2fd8e6410f451c1ce0ae6fd6e1b40b70705

SHA512
1f66711762ef86444a1e4edd5e3105b2ca5e83ec72bc6c2e04c7b5a9de1f50df3a6a85c75fc54003e4ebb0c9d8061455a6ef2e544726536592fb32dbf99736bd

Download Submit
memory/640-59-0x0000000000000000-mapping.dmp

Download
memory/1008-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1008-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1008-64-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1968-54-0x0000000001200000-0x00000000012CA000-memory.dmp

Filesize
808KB

Download
memory/1968-55-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1968-56-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/1968-57-0x0000000005210000-0x000000000527E000-memory.dmp

Filesize
440KB

Download
memory/1968-58-0x00000000005A0000-0x00000000005F6000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads