agenttesla | 063557e31f33f43df3d9324be5b24829a7f636952526d89be348f3e86c019dab

General

Target

RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
Size

603KB
MD5

23f551a5ac8ec744ece3dabee871cd30
SHA1

97227666e1b88f7f6e2d88e6d53c832edf6f52cb
SHA256

3ac8a6bb8e3551f1889bcdbe567d78c4d1afd90f91904d5bbaffc6879abbb37a
SHA512

0f53a4efdc1159a96e177e288b0a7ca58bd4acd3ade45a5720d4633f514f824a42bba761859fd6a7c6f0da51f32c493fb7b1bf73526d28bf4574858d5bc4e25e

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.specialmetal.ir
Port:
587
Username:
[email protected]
Password:
02188985257

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3244-139-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WEqfDb = "C:\\Users\\Admin\\AppData\\Roaming\\WEqfDb\\WEqfDb.exe"	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe

description	pid	process	target process
PID 4504 set thread context of 3244	4504	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3596 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exeRFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe

pid process

4504 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
3244 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
3244 RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe

pid	process
3596	schtasks.exe

pid	process
4504	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
3244	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
3244	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exeRFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe

description	pid	process
Token: SeDebugPrivilege	4504	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
Token: SeDebugPrivilege	3244	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe

description	pid	process	target process
PID 4504 wrote to memory of 3596	4504	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe	schtasks.exe
PID 4504 wrote to memory of 3596	4504	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe	schtasks.exe
PID 4504 wrote to memory of 3596	4504	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe	schtasks.exe
PID 4504 wrote to memory of 3244	4504	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
PID 4504 wrote to memory of 3244	4504	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
PID 4504 wrote to memory of 3244	4504	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
PID 4504 wrote to memory of 3244	4504	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
PID 4504 wrote to memory of 3244	4504	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
PID 4504 wrote to memory of 3244	4504	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
PID 4504 wrote to memory of 3244	4504	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
PID 4504 wrote to memory of 3244	4504	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe	RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe

C:\Users\Admin\AppData\Local\Temp\RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FhDgCxwjwYe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp123B.tmp"
2⤵
- Creates scheduled task(s)
PID:3596

C:\Users\Admin\AppData\Local\Temp\RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ ICT-200068-MKE-AL ESTISHARI_pdf.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp123B.tmp
Filesize
1KB

MD5
27afbf000d983f86e4b3e0eddcf14f27

SHA1
b1d4704ecd01bd5b9e05ac7ba873e3f10b92c913

SHA256
65a95237d217cf1c830f1af6437bca3a3602482b9c8f6122ac742f237b734d16

SHA512
46f59df97b6a995b3d5377452edba1f8cd3fcd1eaff4b65914c1b0c64c1ef822bc00ba08d40f57707cbbdc6039b4ef71d224fb2283e679afec92699d767f8666

Download Submit
memory/3244-138-0x0000000000000000-mapping.dmp

Download
memory/3244-139-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3244-140-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/3596-136-0x0000000000000000-mapping.dmp

Download
memory/4504-130-0x0000000000E80000-0x0000000000F1E000-memory.dmp

Filesize
632KB

Download
memory/4504-131-0x00000000058B0000-0x000000000594C000-memory.dmp

Filesize
624KB

Download
memory/4504-132-0x0000000005F00000-0x00000000064A4000-memory.dmp

Filesize
5.6MB

Download
memory/4504-133-0x00000000059F0000-0x0000000005A82000-memory.dmp

Filesize
584KB

Download
memory/4504-134-0x0000000005950000-0x000000000595A000-memory.dmp

Filesize
40KB

Download
memory/4504-135-0x0000000005A90000-0x0000000005AE6000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads