agenttesla | 4b90f111bc8c7fae466e51e54f57aaefe3b776c0e4044f0d0f118d0e558f82f5

General

Target

Purchase Order Doc.scr
Size

796KB
MD5

8edcfe92ce92808f800bef12341052e8
SHA1

412a5505293f3e2d6d41340af08b0a192456b7ad
SHA256

0193ff4bf0658fc5b1bfa21d0fde437f8ebd5c0e2bb81227f71d75de8d076c08
SHA512

5c6237bb67779fbeba2e279e190544e574595a2258507d3acc22d710cac7e80566540e31f14c0dd8ed2a4470257745ca3c3763419048c2c64af3c0db28928881

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.alfadlytcc.com
Port:
587
Username:
[email protected]
Password:
A$P@ss2022

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1844-64-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla
behavioral1/memory/1844-65-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla
behavioral1/memory/1844-66-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla
behavioral1/memory/1844-67-0x000000000045427E-mapping.dmp	family_agenttesla
behavioral1/memory/1844-69-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla
behavioral1/memory/1844-71-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Order Doc.scr

description pid process target process

PID 616 set thread context of 1844 616 Purchase Order Doc.scr RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1288 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

1844 RegSvcs.exe
1844 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1844 RegSvcs.exe

description	pid	process	target process
PID 616 set thread context of 1844	616	Purchase Order Doc.scr	RegSvcs.exe

pid	process
1288	schtasks.exe

pid	process
1844	RegSvcs.exe
1844	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1844	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Purchase Order Doc.scr

description	pid	process	target process
PID 616 wrote to memory of 1288	616	Purchase Order Doc.scr	schtasks.exe
PID 616 wrote to memory of 1288	616	Purchase Order Doc.scr	schtasks.exe
PID 616 wrote to memory of 1288	616	Purchase Order Doc.scr	schtasks.exe
PID 616 wrote to memory of 1288	616	Purchase Order Doc.scr	schtasks.exe
PID 616 wrote to memory of 1844	616	Purchase Order Doc.scr	RegSvcs.exe
PID 616 wrote to memory of 1844	616	Purchase Order Doc.scr	RegSvcs.exe
PID 616 wrote to memory of 1844	616	Purchase Order Doc.scr	RegSvcs.exe
PID 616 wrote to memory of 1844	616	Purchase Order Doc.scr	RegSvcs.exe
PID 616 wrote to memory of 1844	616	Purchase Order Doc.scr	RegSvcs.exe
PID 616 wrote to memory of 1844	616	Purchase Order Doc.scr	RegSvcs.exe
PID 616 wrote to memory of 1844	616	Purchase Order Doc.scr	RegSvcs.exe
PID 616 wrote to memory of 1844	616	Purchase Order Doc.scr	RegSvcs.exe
PID 616 wrote to memory of 1844	616	Purchase Order Doc.scr	RegSvcs.exe
PID 616 wrote to memory of 1844	616	Purchase Order Doc.scr	RegSvcs.exe
PID 616 wrote to memory of 1844	616	Purchase Order Doc.scr	RegSvcs.exe
PID 616 wrote to memory of 1844	616	Purchase Order Doc.scr	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order Doc.scr
"C:\Users\Admin\AppData\Local\Temp\Purchase Order Doc.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zKuQLnxFTXqVY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6EF9.tmp"
2⤵
- Creates scheduled task(s)
PID:1288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6EF9.tmp
Filesize
1KB

MD5
1c02e0586d3041830d26f6fb50d795c4

SHA1
79b7ba5fa2ea72c912f4fa3156ce460c41897c61

SHA256
c3bdddd664a61e6c2aa49bf7a6f00da278cf42127c2524d70530764f0e6d251c

SHA512
ef105d8b22901e37c7278571f57e747404abc28cbe77008ead4d3784e5f7abe64fcbad989f3fbb0c6fd0a13d24feb6609589f5864f6d78764e8d3c1537162ddd

Download Submit
memory/616-57-0x0000000005040000-0x00000000050B4000-memory.dmp

Filesize
464KB

Download
memory/616-56-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/616-54-0x00000000000E0000-0x00000000001AE000-memory.dmp

Filesize
824KB

Download
memory/616-58-0x00000000020B0000-0x000000000210A000-memory.dmp

Filesize
360KB

Download
memory/616-55-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download
memory/1288-59-0x0000000000000000-mapping.dmp

Download
memory/1844-62-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1844-61-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1844-64-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1844-65-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1844-66-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1844-67-0x000000000045427E-mapping.dmp

Download
memory/1844-69-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1844-71-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads