agenttesla | 74b1d4959a1a4fc749e7e58ae8b6442013bd21bcda958bb4da852692baf678b0

General

Target

long overdue statement (5).exe
Size

634KB
MD5

84d9e5788b3eb0886e25add87470f9c7
SHA1

46ea388b91d174f9d20c5df37718df0b4bdd166a
SHA256

2791e882cf9c19fd8485165584afdccbeac1b7a5ae1781588ea02b7e5f856602
SHA512

6453e8e91a14e3ad6e90c604105ca9ddb907e61729ff8c4178f5683f3e59b7201c84a10c63e78f699dd13e852eb0cb9a6c1d736b75385533c2ea67bb457dfd3e

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.blc.com.np
Port:
587
Username:
norviceducation@blc.com.np
Password:
bhuramal

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1364-78-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1364-79-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1364-81-0x00000000004476EE-mapping.dmp	family_agenttesla
behavioral1/memory/1364-80-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1364-83-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1364-85-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 2 IoCs

Processes:

long overdue statement (5).exeRegSvcs.exe

description	pid	process	target process
PID 1760 set thread context of 1772	1760	long overdue statement (5).exe	RegSvcs.exe
PID 1772 set thread context of 1364	1772	RegSvcs.exe	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1500 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

1364 RegSvcs.exe
1364 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1364 RegSvcs.exe

pid	process
1500	schtasks.exe

pid	process
1364	RegSvcs.exe
1364	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1364	RegSvcs.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

long overdue statement (5).exeRegSvcs.exe

description	pid	process	target process
PID 1760 wrote to memory of 1772	1760	long overdue statement (5).exe	RegSvcs.exe
PID 1760 wrote to memory of 1772	1760	long overdue statement (5).exe	RegSvcs.exe
PID 1760 wrote to memory of 1772	1760	long overdue statement (5).exe	RegSvcs.exe
PID 1760 wrote to memory of 1772	1760	long overdue statement (5).exe	RegSvcs.exe
PID 1760 wrote to memory of 1772	1760	long overdue statement (5).exe	RegSvcs.exe
PID 1760 wrote to memory of 1772	1760	long overdue statement (5).exe	RegSvcs.exe
PID 1760 wrote to memory of 1772	1760	long overdue statement (5).exe	RegSvcs.exe
PID 1760 wrote to memory of 1772	1760	long overdue statement (5).exe	RegSvcs.exe
PID 1760 wrote to memory of 1772	1760	long overdue statement (5).exe	RegSvcs.exe
PID 1760 wrote to memory of 1772	1760	long overdue statement (5).exe	RegSvcs.exe
PID 1760 wrote to memory of 1772	1760	long overdue statement (5).exe	RegSvcs.exe
PID 1760 wrote to memory of 1772	1760	long overdue statement (5).exe	RegSvcs.exe
PID 1772 wrote to memory of 1500	1772	RegSvcs.exe	schtasks.exe
PID 1772 wrote to memory of 1500	1772	RegSvcs.exe	schtasks.exe
PID 1772 wrote to memory of 1500	1772	RegSvcs.exe	schtasks.exe
PID 1772 wrote to memory of 1500	1772	RegSvcs.exe	schtasks.exe
PID 1772 wrote to memory of 1364	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1364	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1364	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1364	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1364	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1364	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1364	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1364	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1364	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1364	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1364	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1364	1772	RegSvcs.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\long overdue statement (5).exe
"C:\Users\Admin\AppData\Local\Temp\long overdue statement (5).exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nSmUkZhG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA42C.tmp"
3⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA42C.tmp
Filesize
1KB

MD5
708fcce8aeabfa9701c750e4a7846b61

SHA1
3787052143310df9d45343ef210cc26d17ed296d

SHA256
82d0c8643cae63fe308c11e6e324200bb37697375480844f561b9c2c4c9547fe

SHA512
3c301f46266ac5259f3d51cd458f6bf41674fd07d1266fb2c98560e3fde35b13c9c3345162bb2905f5284311c1a7cdc549a95f40c71437fe050d758e4428ff18

Download Submit
memory/1364-78-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1364-75-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1364-85-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1364-83-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1364-76-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1364-80-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1364-81-0x00000000004476EE-mapping.dmp

Download
memory/1364-79-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1500-73-0x0000000000000000-mapping.dmp

Download
memory/1760-57-0x0000000005DD0000-0x0000000005E60000-memory.dmp

Filesize
576KB

Download
memory/1760-54-0x0000000000970000-0x0000000000A14000-memory.dmp

Filesize
656KB

Download
memory/1760-56-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/1760-55-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1772-61-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1772-72-0x0000000000560000-0x00000000005B4000-memory.dmp

Filesize
336KB

Download
memory/1772-71-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/1772-69-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1772-67-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1772-65-0x000000000047F24A-mapping.dmp

Download
memory/1772-64-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1772-63-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1772-59-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1772-58-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads