agenttesla | ed0a297e10bb621305115648783375beb0c379b1e2178f4a7470af515978889d

General

Target

स्थानांतरण प्रति 06-19-2020.exe
Size

494KB
MD5

d6f540ae573384978c6cfaaacfe100e9
SHA1

0c260021351ec47e2f7e0fd6e698fc592778f36b
SHA256

7776acf04971eb31d1ceca8e09d1b7579a39a7dbcef5759f051e9f3b49daaa72
SHA512

75ee1fe50354dfa639a9fd98c646557ddf1415ed2882139f7c0ee7a6f2297da7d1f87124c0ad42b719e989c16093a6638b6b2f933f262e7d118bd8d302cc2218

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tde.ro
Port:
21
Username:
pascal@tde.ro
Password:
playboy123

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.tde.ro/
Port:
21
Username:
pascal@tde.ro
Password:
playboy123

Protocol: ftp
Host:
ftp://ftp.tde.ro/
Port:
21
Username:
pascal@tde.ro
Password:
playboy123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3540-137-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

स्थानांतरण प्रति 06-19-2020.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	स्थानांतरण प्रति 06-19-2020.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

स्थानांतरण प्रति 06-19-2020.exe

description	pid	process	target process
PID 1564 set thread context of 3540	1564	स्थानांतरण प्रति 06-19-2020.exe	स्थानांतरण प्रति 06-19-2020.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2040 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

स्थानांतरण प्रति 06-19-2020.exe

pid process

3540 स्थानांतरण प्रति 06-19-2020.exe
3540 स्थानांतरण प्रति 06-19-2020.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

स्थानांतरण प्रति 06-19-2020.exe

description pid process

Token: SeDebugPrivilege 3540 स्थानांतरण प्रति 06-19-2020.exe

pid	process
2040	schtasks.exe

pid	process
3540	स्थानांतरण प्रति 06-19-2020.exe
3540	स्थानांतरण प्रति 06-19-2020.exe

description	pid	process
Token: SeDebugPrivilege	3540	स्थानांतरण प्रति 06-19-2020.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

स्थानांतरण प्रति 06-19-2020.exeस्थानांतरण प्रति 06-19-2020.exe

description	pid	process	target process
PID 1564 wrote to memory of 2040	1564	स्थानांतरण प्रति 06-19-2020.exe	schtasks.exe
PID 1564 wrote to memory of 2040	1564	स्थानांतरण प्रति 06-19-2020.exe	schtasks.exe
PID 1564 wrote to memory of 2040	1564	स्थानांतरण प्रति 06-19-2020.exe	schtasks.exe
PID 1564 wrote to memory of 3540	1564	स्थानांतरण प्रति 06-19-2020.exe	स्थानांतरण प्रति 06-19-2020.exe
PID 1564 wrote to memory of 3540	1564	स्थानांतरण प्रति 06-19-2020.exe	स्थानांतरण प्रति 06-19-2020.exe
PID 1564 wrote to memory of 3540	1564	स्थानांतरण प्रति 06-19-2020.exe	स्थानांतरण प्रति 06-19-2020.exe
PID 1564 wrote to memory of 3540	1564	स्थानांतरण प्रति 06-19-2020.exe	स्थानांतरण प्रति 06-19-2020.exe
PID 1564 wrote to memory of 3540	1564	स्थानांतरण प्रति 06-19-2020.exe	स्थानांतरण प्रति 06-19-2020.exe
PID 1564 wrote to memory of 3540	1564	स्थानांतरण प्रति 06-19-2020.exe	स्थानांतरण प्रति 06-19-2020.exe
PID 1564 wrote to memory of 3540	1564	स्थानांतरण प्रति 06-19-2020.exe	स्थानांतरण प्रति 06-19-2020.exe
PID 1564 wrote to memory of 3540	1564	स्थानांतरण प्रति 06-19-2020.exe	स्थानांतरण प्रति 06-19-2020.exe
PID 3540 wrote to memory of 368	3540	स्थानांतरण प्रति 06-19-2020.exe	netsh.exe
PID 3540 wrote to memory of 368	3540	स्थानांतरण प्रति 06-19-2020.exe	netsh.exe
PID 3540 wrote to memory of 368	3540	स्थानांतरण प्रति 06-19-2020.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\स्थानांतरण प्रति 06-19-2020.exe
"C:\Users\Admin\AppData\Local\Temp\स्थानांतरण प्रति 06-19-2020.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OsJSFKjD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp127E.tmp"
2⤵
- Creates scheduled task(s)
PID:2040

C:\Users\Admin\AppData\Local\Temp\स्थानांतरण प्रति 06-19-2020.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp127E.tmp
Filesize
1KB

MD5
06d289405865e3bd667e7491bab75016

SHA1
fe2df3658d7339f37d4559a28f0244ff2c274b57

SHA256
c1ca669279b86c080cb65c6d454d6740413b6fe99fa6b06f0dcff94c5dc41176

SHA512
ceffc41788e0c82d0ad93f960dd0a38eca1a72fb62ef10c296d093be8157e584b67df108be176948c8e91483c31b28454a18e8d194820348c2c61849c7da70d2

Download Submit
memory/368-140-0x0000000000000000-mapping.dmp

Download
memory/1564-130-0x00000000007E0000-0x0000000000862000-memory.dmp

Filesize
520KB

Download
memory/1564-131-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/1564-132-0x00000000052F0000-0x000000000538C000-memory.dmp

Filesize
624KB

Download
memory/1564-133-0x0000000006130000-0x00000000066D4000-memory.dmp

Filesize
5.6MB

Download
memory/2040-134-0x0000000000000000-mapping.dmp

Download
memory/3540-137-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3540-136-0x0000000000000000-mapping.dmp

Download
memory/3540-138-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/3540-139-0x00000000065C0000-0x0000000006610000-memory.dmp

Filesize
320KB

Download
memory/3540-141-0x0000000006C90000-0x0000000006C9A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads