agenttesla | 2caa6f030ba5361a6d86ee2faaed3473b7ea25c5dfae745f9065b3091aae5e60

General

Target

Part List_bidding.exe
Size

565KB
MD5

36233073fcb133255abb10ea7e1b9040
SHA1

3fc69e192828bea7a37e16d477df63ee53d9ef85
SHA256

61f179ab9d877a4089f3a2e21db9d62537a9181fe6f58ba81a9eb2b0c45ac3a5
SHA512

c4da1a0a5a482a5b555168ef725f4c802640d997e641c35bbac2004251fb89d81e067c7e7ac3c87382496f6924f477e7c9fb58676ec451892bb3bb2cdf4dbc5e

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
[email protected]
Password:
1104780540cuome@123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2384-138-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Part List_bidding.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Part List_bidding.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Part List_bidding.exe

description pid process target process

PID 3908 set thread context of 2384 3908 Part List_bidding.exe Part List_bidding.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1548 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Part List_bidding.exePart List_bidding.exe

pid process

3908 Part List_bidding.exe
3908 Part List_bidding.exe
3908 Part List_bidding.exe
2384 Part List_bidding.exe
2384 Part List_bidding.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Part List_bidding.exePart List_bidding.exe

description pid process

Token: SeDebugPrivilege 3908 Part List_bidding.exe
Token: SeDebugPrivilege 2384 Part List_bidding.exe

description	pid	process	target process
PID 3908 set thread context of 2384	3908	Part List_bidding.exe	Part List_bidding.exe

pid	process
1548	schtasks.exe

pid	process
3908	Part List_bidding.exe
3908	Part List_bidding.exe
3908	Part List_bidding.exe
2384	Part List_bidding.exe
2384	Part List_bidding.exe

description	pid	process
Token: SeDebugPrivilege	3908	Part List_bidding.exe
Token: SeDebugPrivilege	2384	Part List_bidding.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Part List_bidding.exe

description	pid	process	target process
PID 3908 wrote to memory of 1548	3908	Part List_bidding.exe	schtasks.exe
PID 3908 wrote to memory of 1548	3908	Part List_bidding.exe	schtasks.exe
PID 3908 wrote to memory of 1548	3908	Part List_bidding.exe	schtasks.exe
PID 3908 wrote to memory of 2384	3908	Part List_bidding.exe	Part List_bidding.exe
PID 3908 wrote to memory of 2384	3908	Part List_bidding.exe	Part List_bidding.exe
PID 3908 wrote to memory of 2384	3908	Part List_bidding.exe	Part List_bidding.exe
PID 3908 wrote to memory of 2384	3908	Part List_bidding.exe	Part List_bidding.exe
PID 3908 wrote to memory of 2384	3908	Part List_bidding.exe	Part List_bidding.exe
PID 3908 wrote to memory of 2384	3908	Part List_bidding.exe	Part List_bidding.exe
PID 3908 wrote to memory of 2384	3908	Part List_bidding.exe	Part List_bidding.exe
PID 3908 wrote to memory of 2384	3908	Part List_bidding.exe	Part List_bidding.exe

C:\Users\Admin\AppData\Local\Temp\Part List_bidding.exe
"C:\Users\Admin\AppData\Local\Temp\Part List_bidding.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LOGlDb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB3A.tmp"
2⤵
- Creates scheduled task(s)
PID:1548

C:\Users\Admin\AppData\Local\Temp\Part List_bidding.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCB3A.tmp
Filesize
1KB

MD5
afbfead3bf7e27b90e748a1a4ad6957f

SHA1
235123c4b559af15516c77f93cd99165dafb58c5

SHA256
f5ecd3ab55d4545bc5003e0269a4f10655a661fc8f1374cb218492456898f28f

SHA512
ed2ca90700bf4991c73fc95e4e80dd3e9eeb7102ab257e7b48cdd8a4730117e570da1863ed3ce7d5f951a045392500084590bbf454819e033a27c120d3696346

Download Submit
memory/1548-135-0x0000000000000000-mapping.dmp

Download
memory/2384-137-0x0000000000000000-mapping.dmp

Download
memory/2384-138-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3908-130-0x00000000001D0000-0x0000000000264000-memory.dmp

Filesize
592KB

Download
memory/3908-131-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/3908-132-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/3908-133-0x0000000005030000-0x000000000503A000-memory.dmp

Filesize
40KB

Download
memory/3908-134-0x0000000008640000-0x00000000086DC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads