agenttesla | 4a52fbdd9532840dbb385e19d94458678140c46390b3a6f1de3a7e92ea5f5c54

General

Target

INDUS INTL- RFQ(inquiry _list)pht.exe
Size

682KB
MD5

9ad03cd97e4d83bf3bd9f1a2407a4242
SHA1

8f1ced189e835e117388cac76fc68b4810b22a94
SHA256

b2ac207f4af2ee08fd955e71ccfb0c95b07098f0dc88eb2fbe48fb9e1f52c022
SHA512

197ef4db7b2b205fb54bfff024466fa0e90e25ba8db0d59e0532088bb11950a75331c1c8bae212528a819e6315055df16aa60a972abc9fd20833bafe530e67f8

Score

10^/10

agenttesla keylogger rezer0 spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
sWalzdY4

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1872-63-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1872-62-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1872-64-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1872-65-0x0000000000447B5E-mapping.dmp	family_agenttesla
behavioral1/memory/1872-67-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1872-69-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/908-56-0x0000000000C20000-0x0000000000C74000-memory.dmp	rezer0

Suspicious use of SetThreadContext 1 IoCs

Processes:

INDUS INTL- RFQ(inquiry _list)pht.exe

description pid process target process

PID 908 set thread context of 1872 908 INDUS INTL- RFQ(inquiry _list)pht.exe INDUS INTL- RFQ(inquiry _list)pht.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2036 schtasks.exe

description	pid	process	target process
PID 908 set thread context of 1872	908	INDUS INTL- RFQ(inquiry _list)pht.exe	INDUS INTL- RFQ(inquiry _list)pht.exe

pid	process
2036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

INDUS INTL- RFQ(inquiry _list)pht.exeINDUS INTL- RFQ(inquiry _list)pht.exe

pid	process
908	INDUS INTL- RFQ(inquiry _list)pht.exe
908	INDUS INTL- RFQ(inquiry _list)pht.exe
908	INDUS INTL- RFQ(inquiry _list)pht.exe
1872	INDUS INTL- RFQ(inquiry _list)pht.exe
1872	INDUS INTL- RFQ(inquiry _list)pht.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

INDUS INTL- RFQ(inquiry _list)pht.exeINDUS INTL- RFQ(inquiry _list)pht.exe

description pid process

Token: SeDebugPrivilege 908 INDUS INTL- RFQ(inquiry _list)pht.exe
Token: SeDebugPrivilege 1872 INDUS INTL- RFQ(inquiry _list)pht.exe

description	pid	process
Token: SeDebugPrivilege	908	INDUS INTL- RFQ(inquiry _list)pht.exe
Token: SeDebugPrivilege	1872	INDUS INTL- RFQ(inquiry _list)pht.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

INDUS INTL- RFQ(inquiry _list)pht.exe

description	pid	process	target process
PID 908 wrote to memory of 2036	908	INDUS INTL- RFQ(inquiry _list)pht.exe	schtasks.exe
PID 908 wrote to memory of 2036	908	INDUS INTL- RFQ(inquiry _list)pht.exe	schtasks.exe
PID 908 wrote to memory of 2036	908	INDUS INTL- RFQ(inquiry _list)pht.exe	schtasks.exe
PID 908 wrote to memory of 2036	908	INDUS INTL- RFQ(inquiry _list)pht.exe	schtasks.exe
PID 908 wrote to memory of 1872	908	INDUS INTL- RFQ(inquiry _list)pht.exe	INDUS INTL- RFQ(inquiry _list)pht.exe
PID 908 wrote to memory of 1872	908	INDUS INTL- RFQ(inquiry _list)pht.exe	INDUS INTL- RFQ(inquiry _list)pht.exe
PID 908 wrote to memory of 1872	908	INDUS INTL- RFQ(inquiry _list)pht.exe	INDUS INTL- RFQ(inquiry _list)pht.exe
PID 908 wrote to memory of 1872	908	INDUS INTL- RFQ(inquiry _list)pht.exe	INDUS INTL- RFQ(inquiry _list)pht.exe
PID 908 wrote to memory of 1872	908	INDUS INTL- RFQ(inquiry _list)pht.exe	INDUS INTL- RFQ(inquiry _list)pht.exe
PID 908 wrote to memory of 1872	908	INDUS INTL- RFQ(inquiry _list)pht.exe	INDUS INTL- RFQ(inquiry _list)pht.exe
PID 908 wrote to memory of 1872	908	INDUS INTL- RFQ(inquiry _list)pht.exe	INDUS INTL- RFQ(inquiry _list)pht.exe
PID 908 wrote to memory of 1872	908	INDUS INTL- RFQ(inquiry _list)pht.exe	INDUS INTL- RFQ(inquiry _list)pht.exe
PID 908 wrote to memory of 1872	908	INDUS INTL- RFQ(inquiry _list)pht.exe	INDUS INTL- RFQ(inquiry _list)pht.exe

C:\Users\Admin\AppData\Local\Temp\INDUS INTL- RFQ(inquiry _list)pht.exe
"C:\Users\Admin\AppData\Local\Temp\INDUS INTL- RFQ(inquiry _list)pht.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QlCnxlaozyf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5B2.tmp"
2⤵
- Creates scheduled task(s)
PID:2036

C:\Users\Admin\AppData\Local\Temp\INDUS INTL- RFQ(inquiry _list)pht.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA5B2.tmp
Filesize
1KB

MD5
872d18905d2f6a6b9f52e122e82b5217

SHA1
9dbabf7de43acb4851c2016cd772f70376ea51ea

SHA256
1e82320e094053dbd0b8acab831b9f1f600154b0f3749ee931150b33c2ae2336

SHA512
c7f324963d6b80f61efd5c6ff0aa6ab9b050b4415a2e4aea7a2baafbc96206087bef5dcd19a2e27e1e7cd6fed0f589ffb1ffeac94cbbc8748807da774fbb5bfc

Download Submit
memory/908-55-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/908-56-0x0000000000C20000-0x0000000000C74000-memory.dmp

Filesize
336KB

Download
memory/908-54-0x0000000001260000-0x0000000001310000-memory.dmp

Filesize
704KB

Download
memory/1872-64-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1872-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1872-60-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1872-63-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1872-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1872-65-0x0000000000447B5E-mapping.dmp

Download
memory/1872-67-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1872-69-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1872-70-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/2036-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads