agenttesla | 74b1d4959a1a4fc749e7e58ae8b6442013bd21bcda958bb4da852692baf678b0

General

Target

long overdue statement (5).exe
Size

634KB
MD5

84d9e5788b3eb0886e25add87470f9c7
SHA1

46ea388b91d174f9d20c5df37718df0b4bdd166a
SHA256

2791e882cf9c19fd8485165584afdccbeac1b7a5ae1781588ea02b7e5f856602
SHA512

6453e8e91a14e3ad6e90c604105ca9ddb907e61729ff8c4178f5683f3e59b7201c84a10c63e78f699dd13e852eb0cb9a6c1d736b75385533c2ea67bb457dfd3e

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.blc.com.np
Port:
587
Username:
norviceducation@blc.com.np
Password:
bhuramal

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/400-140-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 2 IoCs

Processes:

long overdue statement (5).exeRegSvcs.exe

description	pid	process	target process
PID 3504 set thread context of 4404	3504	long overdue statement (5).exe	RegSvcs.exe
PID 4404 set thread context of 400	4404	RegSvcs.exe	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1696 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

400 RegSvcs.exe
400 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 400 RegSvcs.exe

pid	process
1696	schtasks.exe

pid	process
400	RegSvcs.exe
400	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	400	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

long overdue statement (5).exeRegSvcs.exe

description	pid	process	target process
PID 3504 wrote to memory of 4404	3504	long overdue statement (5).exe	RegSvcs.exe
PID 3504 wrote to memory of 4404	3504	long overdue statement (5).exe	RegSvcs.exe
PID 3504 wrote to memory of 4404	3504	long overdue statement (5).exe	RegSvcs.exe
PID 3504 wrote to memory of 4404	3504	long overdue statement (5).exe	RegSvcs.exe
PID 3504 wrote to memory of 4404	3504	long overdue statement (5).exe	RegSvcs.exe
PID 3504 wrote to memory of 4404	3504	long overdue statement (5).exe	RegSvcs.exe
PID 3504 wrote to memory of 4404	3504	long overdue statement (5).exe	RegSvcs.exe
PID 3504 wrote to memory of 4404	3504	long overdue statement (5).exe	RegSvcs.exe
PID 4404 wrote to memory of 1696	4404	RegSvcs.exe	schtasks.exe
PID 4404 wrote to memory of 1696	4404	RegSvcs.exe	schtasks.exe
PID 4404 wrote to memory of 1696	4404	RegSvcs.exe	schtasks.exe
PID 4404 wrote to memory of 400	4404	RegSvcs.exe	RegSvcs.exe
PID 4404 wrote to memory of 400	4404	RegSvcs.exe	RegSvcs.exe
PID 4404 wrote to memory of 400	4404	RegSvcs.exe	RegSvcs.exe
PID 4404 wrote to memory of 400	4404	RegSvcs.exe	RegSvcs.exe
PID 4404 wrote to memory of 400	4404	RegSvcs.exe	RegSvcs.exe
PID 4404 wrote to memory of 400	4404	RegSvcs.exe	RegSvcs.exe
PID 4404 wrote to memory of 400	4404	RegSvcs.exe	RegSvcs.exe
PID 4404 wrote to memory of 400	4404	RegSvcs.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\long overdue statement (5).exe
"C:\Users\Admin\AppData\Local\Temp\long overdue statement (5).exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nSmUkZhG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp46A9.tmp"
3⤵
- Creates scheduled task(s)
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp46A9.tmp
Filesize
1KB

MD5
87ebd7d306327d29507b7fcd72da5d5a

SHA1
5b91ed1da81d03c447f0917ada1b0eb79d0c5a43

SHA256
5974f6b8ce9a2cf9b90efadb0a4bf2311583d5b7d359d6ad94cdbaeca0a1184b

SHA512
606c381aae90eead22065f1f7305327e16be04a675e83fc3ea90107a9ce92102714d44a5cf6d6ce7027486e8dba73b522062fdb3a7086c70e369a6931438c691

Download Submit
memory/400-139-0x0000000000000000-mapping.dmp

Download
memory/400-140-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/400-141-0x00000000063C0000-0x0000000006426000-memory.dmp

Filesize
408KB

Download
memory/1696-137-0x0000000000000000-mapping.dmp

Download
memory/3504-130-0x0000000000950000-0x00000000009F4000-memory.dmp

Filesize
656KB

Download
memory/3504-131-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/3504-132-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/3504-133-0x0000000005450000-0x000000000545A000-memory.dmp

Filesize
40KB

Download
memory/3504-134-0x0000000009240000-0x00000000092DC000-memory.dmp

Filesize
624KB

Download
memory/4404-135-0x0000000000000000-mapping.dmp

Download
memory/4404-136-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads