agenttesla | acc9bb38581081506db62caf5850f4b8819296a1be01202b47c44d3950e7ebb2

General

Target

information.exe
Size

1.1MB
MD5

b3f2deb005bc80453da9d819482b11ca
SHA1

f6c2437095ed367c805a40d7018e4ee26b85b91a
SHA256

acc9bb38581081506db62caf5850f4b8819296a1be01202b47c44d3950e7ebb2
SHA512

f8a3aecf4e25854817c4a230743e29a55a7f8cc2fb8468de2c20ec8e8f344cc996d1ffaa51b1968c7a8f9ffff21687285fd931e6184f05b34040580a53ec7612
SSDEEP

24576:yDIm+CwxbNuTrG2muk2P6BRQfpmYeWPd+:yDIpCwx5+GGyfUpbPQ

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 6 IoCs

resource	yara_rule
behavioral1/memory/1712-72-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1712-73-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1712-74-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1712-75-0x000000000043787E-mapping.dmp	family_agenttesla
behavioral1/memory/1712-77-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1712-79-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 576 set thread context of 1712	576	information.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
576	information.exe
576	information.exe
576	information.exe
576	information.exe
576	information.exe
576	information.exe
1712	information.exe
1712	information.exe
1464	powershell.exe
1516	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	information.exe
Token: SeDebugPrivilege	1712	information.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
576	information.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
576	information.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1516	576	information.exe	26
PID 576 wrote to memory of 1516	576	information.exe	26
PID 576 wrote to memory of 1516	576	information.exe	26
PID 576 wrote to memory of 1516	576	information.exe	26
PID 576 wrote to memory of 1464	576	information.exe	28
PID 576 wrote to memory of 1464	576	information.exe	28
PID 576 wrote to memory of 1464	576	information.exe	28
PID 576 wrote to memory of 1464	576	information.exe	28
PID 576 wrote to memory of 1104	576	information.exe	30
PID 576 wrote to memory of 1104	576	information.exe	30
PID 576 wrote to memory of 1104	576	information.exe	30
PID 576 wrote to memory of 1104	576	information.exe	30
PID 576 wrote to memory of 1712	576	information.exe	32
PID 576 wrote to memory of 1712	576	information.exe	32
PID 576 wrote to memory of 1712	576	information.exe	32
PID 576 wrote to memory of 1712	576	information.exe	32
PID 576 wrote to memory of 1712	576	information.exe	32
PID 576 wrote to memory of 1712	576	information.exe	32
PID 576 wrote to memory of 1712	576	information.exe	32
PID 576 wrote to memory of 1712	576	information.exe	32
PID 576 wrote to memory of 1712	576	information.exe	32

C:\Users\Admin\AppData\Local\Temp\information.exe
"C:\Users\Admin\AppData\Local\Temp\information.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\information.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wSYotnpd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wSYotnpd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF75.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1104
- C:\Users\Admin\AppData\Local\Temp\information.exe
  "C:\Users\Admin\AppData\Local\Temp\information.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFF75.tmp

Filesize
1KB

MD5
8fad46343e428e3e6cc0e6e53c5db1db

SHA1
e4b2771f6d01d5a700ff59ca84c1ee34e4551767

SHA256
cb53f089d5c2cab3a83e0584305f719004c6d9e4961a2b861d25c6fa5ffb8c2d

SHA512
fb34596253b7cc81fa0ba023a6e9773eccd6e1094bcbd1ec1cffe8f9f7ea6f81105329670531112d62a2a3bf312721479c6b0cc3fa4cb1a3c3ba65ece6cfc699

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cfbe7b3e01ef51efb52548099e80d16e

SHA1
c945a1dad50ed18bed90339fc199f93c542ee6aa

SHA256
7a3fce8db636b51a15cef156cef99fcb65a278f9331eac8e1048428cae3de327

SHA512
402a3870d594821d2e06a21311d6135f8127525f5a23b1fec45a493ca5dde6383eae5bc95fba8769b8013f1d34b0c7de757b5c616cef160389909ca4131f9c35

Download Submit
memory/576-68-0x0000000006090000-0x0000000006108000-memory.dmp

Filesize
480KB

Download
memory/576-57-0x0000000004FB5000-0x0000000004FC6000-memory.dmp

Filesize
68KB

Download
memory/576-58-0x0000000004FB5000-0x0000000004FC6000-memory.dmp

Filesize
68KB

Download
memory/576-59-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/576-60-0x0000000007FE0000-0x00000000080AE000-memory.dmp

Filesize
824KB

Download
memory/576-80-0x0000000004FB5000-0x0000000004FC6000-memory.dmp

Filesize
68KB

Download
memory/576-54-0x0000000000150000-0x000000000027A000-memory.dmp

Filesize
1.2MB

Download
memory/576-55-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/576-56-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/1464-84-0x000000006EB20000-0x000000006F0CB000-memory.dmp

Filesize
5.7MB

Download
memory/1464-82-0x000000006EB20000-0x000000006F0CB000-memory.dmp

Filesize
5.7MB

Download
memory/1516-85-0x000000006EB20000-0x000000006F0CB000-memory.dmp

Filesize
5.7MB

Download
memory/1516-81-0x000000006EB20000-0x000000006F0CB000-memory.dmp

Filesize
5.7MB

Download
memory/1712-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-77-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads