agenttesla | 0bb1ef1b5da51503d3eacf1ecb66e7205bdb3aeab888bd7959ebb674f1eab631

General

Target

Purchase Order.exe
Size

381KB
MD5

20c2c7e30a36e36fc8c8db7c700e886a
SHA1

87fb6b5b2872a14cd66b78d0f246ea8777cb0c9a
SHA256

1317c9f8869b5342150133772b8399d866904c1157e5fc527b9660e676acd5f1
SHA512

0a00908f24e98b9366f069869e7cf25a0d95f92515c6cd18a1ab7c687ee78c31648e8710e51ea58518a94dd661ee7aac31441c638bac8bc0e9ec468a21ea564c

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.impressindia.net
Port:
587
Username:
[email protected]
Password:
!,tR}%PDdI0N

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1932-67-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1932-68-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1932-69-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1932-70-0x000000000044C9FE-mapping.dmp	family_agenttesla
behavioral1/memory/1932-73-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1932-75-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

Purchase Order.exePurchase Order.exe

pid process

268 Purchase Order.exe
1932 Purchase Order.exe
Loads dropped DLL 2 IoCs

Processes:

Purchase Order.exe

pid process

1944 Purchase Order.exe
1944 Purchase Order.exe

pid	process
268	Purchase Order.exe
1932	Purchase Order.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Purchase Order.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\usbutil = "\"C:\\Users\\Admin\\AppData\\Local\\usbutil.exe\""	Purchase Order.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Order.exe

description pid process target process

PID 1944 set thread context of 1932 1944 Purchase Order.exe Purchase Order.exe

description	pid	process	target process
PID 1944 set thread context of 1932	1944	Purchase Order.exe	Purchase Order.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Purchase Order.exePurchase Order.exe

pid	process
1944	Purchase Order.exe
1944	Purchase Order.exe
1944	Purchase Order.exe
1944	Purchase Order.exe
1944	Purchase Order.exe
1944	Purchase Order.exe
1944	Purchase Order.exe
1944	Purchase Order.exe
1944	Purchase Order.exe
1944	Purchase Order.exe
1944	Purchase Order.exe
1944	Purchase Order.exe
1944	Purchase Order.exe
1944	Purchase Order.exe
1932	Purchase Order.exe
1932	Purchase Order.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase Order.exePurchase Order.exe

description pid process

Token: SeDebugPrivilege 1944 Purchase Order.exe
Token: SeDebugPrivilege 1932 Purchase Order.exe

description	pid	process
Token: SeDebugPrivilege	1944	Purchase Order.exe
Token: SeDebugPrivilege	1932	Purchase Order.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Purchase Order.exe

description	pid	process	target process
PID 1944 wrote to memory of 268	1944	Purchase Order.exe	Purchase Order.exe
PID 1944 wrote to memory of 268	1944	Purchase Order.exe	Purchase Order.exe
PID 1944 wrote to memory of 268	1944	Purchase Order.exe	Purchase Order.exe
PID 1944 wrote to memory of 268	1944	Purchase Order.exe	Purchase Order.exe
PID 1944 wrote to memory of 1932	1944	Purchase Order.exe	Purchase Order.exe
PID 1944 wrote to memory of 1932	1944	Purchase Order.exe	Purchase Order.exe
PID 1944 wrote to memory of 1932	1944	Purchase Order.exe	Purchase Order.exe
PID 1944 wrote to memory of 1932	1944	Purchase Order.exe	Purchase Order.exe
PID 1944 wrote to memory of 1932	1944	Purchase Order.exe	Purchase Order.exe
PID 1944 wrote to memory of 1932	1944	Purchase Order.exe	Purchase Order.exe
PID 1944 wrote to memory of 1932	1944	Purchase Order.exe	Purchase Order.exe
PID 1944 wrote to memory of 1932	1944	Purchase Order.exe	Purchase Order.exe
PID 1944 wrote to memory of 1932	1944	Purchase Order.exe	Purchase Order.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
2⤵
- Executes dropped EXE
PID:268

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
Filesize
381KB

MD5
20c2c7e30a36e36fc8c8db7c700e886a

SHA1
87fb6b5b2872a14cd66b78d0f246ea8777cb0c9a

SHA256
1317c9f8869b5342150133772b8399d866904c1157e5fc527b9660e676acd5f1

SHA512
0a00908f24e98b9366f069869e7cf25a0d95f92515c6cd18a1ab7c687ee78c31648e8710e51ea58518a94dd661ee7aac31441c638bac8bc0e9ec468a21ea564c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
Filesize
381KB

MD5
20c2c7e30a36e36fc8c8db7c700e886a

SHA1
87fb6b5b2872a14cd66b78d0f246ea8777cb0c9a

SHA256
1317c9f8869b5342150133772b8399d866904c1157e5fc527b9660e676acd5f1

SHA512
0a00908f24e98b9366f069869e7cf25a0d95f92515c6cd18a1ab7c687ee78c31648e8710e51ea58518a94dd661ee7aac31441c638bac8bc0e9ec468a21ea564c

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase Order.exe
Filesize
381KB

MD5
20c2c7e30a36e36fc8c8db7c700e886a

SHA1
87fb6b5b2872a14cd66b78d0f246ea8777cb0c9a

SHA256
1317c9f8869b5342150133772b8399d866904c1157e5fc527b9660e676acd5f1

SHA512
0a00908f24e98b9366f069869e7cf25a0d95f92515c6cd18a1ab7c687ee78c31648e8710e51ea58518a94dd661ee7aac31441c638bac8bc0e9ec468a21ea564c

Download Submit
\Users\Admin\AppData\Local\Temp\Purchase Order.exe
Filesize
381KB

MD5
20c2c7e30a36e36fc8c8db7c700e886a

SHA1
87fb6b5b2872a14cd66b78d0f246ea8777cb0c9a

SHA256
1317c9f8869b5342150133772b8399d866904c1157e5fc527b9660e676acd5f1

SHA512
0a00908f24e98b9366f069869e7cf25a0d95f92515c6cd18a1ab7c687ee78c31648e8710e51ea58518a94dd661ee7aac31441c638bac8bc0e9ec468a21ea564c

Download Submit
memory/1932-67-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1932-69-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1932-75-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1932-73-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1932-70-0x000000000044C9FE-mapping.dmp

Download
memory/1932-68-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1932-64-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1932-65-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1944-54-0x0000000000FD0000-0x0000000001034000-memory.dmp

Filesize
400KB

Download
memory/1944-56-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/1944-59-0x0000000000D20000-0x0000000000D36000-memory.dmp

Filesize
88KB

Download
memory/1944-57-0x0000000000CD0000-0x0000000000D1A000-memory.dmp

Filesize
296KB

Download
memory/1944-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1944-58-0x0000000000C60000-0x0000000000C76000-memory.dmp

Filesize
88KB

Download
memory/1944-60-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads