agenttesla | 4b90f111bc8c7fae466e51e54f57aaefe3b776c0e4044f0d0f118d0e558f82f5

General

Target

Purchase Order Doc.scr
Size

796KB
MD5

8edcfe92ce92808f800bef12341052e8
SHA1

412a5505293f3e2d6d41340af08b0a192456b7ad
SHA256

0193ff4bf0658fc5b1bfa21d0fde437f8ebd5c0e2bb81227f71d75de8d076c08
SHA512

5c6237bb67779fbeba2e279e190544e574595a2258507d3acc22d710cac7e80566540e31f14c0dd8ed2a4470257745ca3c3763419048c2c64af3c0db28928881

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.alfadlytcc.com
Port:
587
Username:
[email protected]
Password:
A$P@ss2022

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1460-140-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Purchase Order Doc.scr

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Purchase Order Doc.scr

Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Order Doc.scr

description pid process target process

PID 4608 set thread context of 1460 4608 Purchase Order Doc.scr RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4196 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Purchase Order Doc.scrRegSvcs.exe

pid process

4608 Purchase Order Doc.scr
1460 RegSvcs.exe
1460 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase Order Doc.scrRegSvcs.exe

description pid process

Token: SeDebugPrivilege 4608 Purchase Order Doc.scr
Token: SeDebugPrivilege 1460 RegSvcs.exe

description	pid	process	target process
PID 4608 set thread context of 1460	4608	Purchase Order Doc.scr	RegSvcs.exe

pid	process
4196	schtasks.exe

pid	process
4608	Purchase Order Doc.scr
1460	RegSvcs.exe
1460	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4608	Purchase Order Doc.scr
Token: SeDebugPrivilege	1460	RegSvcs.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Purchase Order Doc.scr

description	pid	process	target process
PID 4608 wrote to memory of 4196	4608	Purchase Order Doc.scr	schtasks.exe
PID 4608 wrote to memory of 4196	4608	Purchase Order Doc.scr	schtasks.exe
PID 4608 wrote to memory of 4196	4608	Purchase Order Doc.scr	schtasks.exe
PID 4608 wrote to memory of 1460	4608	Purchase Order Doc.scr	RegSvcs.exe
PID 4608 wrote to memory of 1460	4608	Purchase Order Doc.scr	RegSvcs.exe
PID 4608 wrote to memory of 1460	4608	Purchase Order Doc.scr	RegSvcs.exe
PID 4608 wrote to memory of 1460	4608	Purchase Order Doc.scr	RegSvcs.exe
PID 4608 wrote to memory of 1460	4608	Purchase Order Doc.scr	RegSvcs.exe
PID 4608 wrote to memory of 1460	4608	Purchase Order Doc.scr	RegSvcs.exe
PID 4608 wrote to memory of 1460	4608	Purchase Order Doc.scr	RegSvcs.exe
PID 4608 wrote to memory of 1460	4608	Purchase Order Doc.scr	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order Doc.scr
"C:\Users\Admin\AppData\Local\Temp\Purchase Order Doc.scr" /S
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zKuQLnxFTXqVY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB65.tmp"
2⤵
- Creates scheduled task(s)
PID:4196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB65.tmp
Filesize
1KB

MD5
25062a4a88f7ca202d574fa7cb6bd453

SHA1
1d4a2898e9ae71bc8d2d30c179b820995c668116

SHA256
d6b5585fa8e86ce2a46bedd33908d718f2c0d92713c84b4053cc6f4541300850

SHA512
2bd85e201dceee11b6fb62608d6adfac85a125da84938e5f7927d09df31ed9965276b154cb131321c949a1a90a25f2438c4ed8d852a9ef54bba9593a5dad8f2b

Download Submit
memory/1460-139-0x0000000000000000-mapping.dmp

Download
memory/1460-140-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1460-141-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/4196-137-0x0000000000000000-mapping.dmp

Download
memory/4608-130-0x0000000000710000-0x00000000007DE000-memory.dmp

Filesize
824KB

Download
memory/4608-131-0x0000000005190000-0x000000000522C000-memory.dmp

Filesize
624KB

Download
memory/4608-132-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/4608-133-0x0000000005230000-0x00000000052C2000-memory.dmp

Filesize
584KB

Download
memory/4608-134-0x0000000005170000-0x000000000517A000-memory.dmp

Filesize
40KB

Download
memory/4608-135-0x0000000005420000-0x0000000005476000-memory.dmp

Filesize
344KB

Download
memory/4608-136-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads