agenttesla | d2a14337d5114e189e91736aaaa069410cfae88d3c75c77618c9a7fa2418109a

General

Target

PO#1132 &1133.exe
Size

500KB
MD5

66025ac6fd60f45bbeac781a6dd87b0d
SHA1

c18b50db3c100d0adbc7a60530e515eb35483389
SHA256

788c228ea56724227e6eb18a04d36fa4eda9dcfd5a90f1131a54f01ce7445a48
SHA512

14aacfd10e247eca000671364a37de573ec9dc98cd18758a7809a0adb0a9d96df1ebb2d5fd54695cd48fcaed9388eff33a8a50c539cc0576baf734a0a96e6b53
SSDEEP

12288:EW9ABfUnsuZbSSPcLRy70P5+7xsQRTK05+UL/QT3Z7i:EW9uUfZ/cLRy70PU7xsQRK05o7l

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.strictfacilityservices.com
Port:
587
Username:
[email protected]
Password:
SFS!@#321
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO#1132 &1133.exe

description pid process target process

PID 1688 set thread context of 1360 1688 PO#1132 &1133.exe PO#1132 &1133.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1772 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

PO#1132 &1133.exePO#1132 &1133.exe

pid process

1688 PO#1132 &1133.exe
1360 PO#1132 &1133.exe
1360 PO#1132 &1133.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO#1132 &1133.exePO#1132 &1133.exe

description pid process

Token: SeDebugPrivilege 1688 PO#1132 &1133.exe
Token: SeDebugPrivilege 1360 PO#1132 &1133.exe

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 1688 set thread context of 1360	1688	PO#1132 &1133.exe	PO#1132 &1133.exe

pid	process
1772	schtasks.exe

pid	process
1688	PO#1132 &1133.exe
1360	PO#1132 &1133.exe
1360	PO#1132 &1133.exe

description	pid	process
Token: SeDebugPrivilege	1688	PO#1132 &1133.exe
Token: SeDebugPrivilege	1360	PO#1132 &1133.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

PO#1132 &1133.exe

description	pid	process	target process
PID 1688 wrote to memory of 1772	1688	PO#1132 &1133.exe	schtasks.exe
PID 1688 wrote to memory of 1772	1688	PO#1132 &1133.exe	schtasks.exe
PID 1688 wrote to memory of 1772	1688	PO#1132 &1133.exe	schtasks.exe
PID 1688 wrote to memory of 1772	1688	PO#1132 &1133.exe	schtasks.exe
PID 1688 wrote to memory of 1360	1688	PO#1132 &1133.exe	PO#1132 &1133.exe
PID 1688 wrote to memory of 1360	1688	PO#1132 &1133.exe	PO#1132 &1133.exe
PID 1688 wrote to memory of 1360	1688	PO#1132 &1133.exe	PO#1132 &1133.exe
PID 1688 wrote to memory of 1360	1688	PO#1132 &1133.exe	PO#1132 &1133.exe
PID 1688 wrote to memory of 1360	1688	PO#1132 &1133.exe	PO#1132 &1133.exe
PID 1688 wrote to memory of 1360	1688	PO#1132 &1133.exe	PO#1132 &1133.exe
PID 1688 wrote to memory of 1360	1688	PO#1132 &1133.exe	PO#1132 &1133.exe
PID 1688 wrote to memory of 1360	1688	PO#1132 &1133.exe	PO#1132 &1133.exe
PID 1688 wrote to memory of 1360	1688	PO#1132 &1133.exe	PO#1132 &1133.exe

C:\Users\Admin\AppData\Local\Temp\PO#1132 &1133.exe
"C:\Users\Admin\AppData\Local\Temp\PO#1132 &1133.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iZHaPFhbQYqK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD5B7.tmp"
2⤵
- Creates scheduled task(s)
PID:1772

C:\Users\Admin\AppData\Local\Temp\PO#1132 &1133.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD5B7.tmp

Filesize
1KB

MD5
3c56c0decadd8e74948dc7b20780fac1

SHA1
4b5b5723406d8a6679b6be02ec888054bb823c82

SHA256
b41d8991842294d5389f7682458cb022ac64830934d8885cabe16b5f20a01ae2

SHA512
5c82f6f38cd464686db4e1c34db11d0788bf6e8cc5001018e21f40408983133ff84843d25464e0af2cbc8e91f45f466a5fc7282d46e67de5899f30708dc9b8c7

Download Submit
memory/1360-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-67-0x0000000000437B9E-mapping.dmp

Download
memory/1360-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-54-0x0000000000840000-0x00000000008C4000-memory.dmp

Filesize
528KB

Download
memory/1688-55-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/1688-56-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1688-58-0x0000000000730000-0x000000000076C000-memory.dmp

Filesize
240KB

Download
memory/1688-57-0x0000000005000000-0x000000000507A000-memory.dmp

Filesize
488KB

Download
memory/1772-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads