agenttesla | ebb86221b5c4336e8155321c3ef818e39e38c981227b768433d107ba6aa3bd69

General

Target

SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe
Size

960KB
MD5

a0b2a10e84abe8930570103f841bcc75
SHA1

441c100f5467f1e7983b3e62119b60bb3cc757d7
SHA256

ebb86221b5c4336e8155321c3ef818e39e38c981227b768433d107ba6aa3bd69
SHA512

023c0e59dbdd9dd8f3b2e3ad99154942d651e7b3c3b498e25d957fb4b717dde7148a932bc1cfd1a4a9679889fcaa22de8b25d75ae14f01e12c3a25ef248794d5
SSDEEP

24576:EGU376CRkFg/IyXtBbvShFasPKhCX0sTLZeD1zBCh:2PkoXvSLSkzTNk1W

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.biateknos.com
Port:
587
Username:
[email protected]
Password:
biateknossutinah
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe

description pid process target process

PID 672 set thread context of 1456 672 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1864 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exeRegSvcs.exe

pid process

672 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe
672 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe
1456 RegSvcs.exe
1456 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 672 SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe
Token: SeDebugPrivilege 1456 RegSvcs.exe

description	pid	process	target process
PID 672 set thread context of 1456	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe

pid	process
1864	schtasks.exe

pid	process
672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe
672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe
1456	RegSvcs.exe
1456	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe
Token: SeDebugPrivilege	1456	RegSvcs.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe

description	pid	process	target process
PID 672 wrote to memory of 1864	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	schtasks.exe
PID 672 wrote to memory of 1864	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	schtasks.exe
PID 672 wrote to memory of 1864	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	schtasks.exe
PID 672 wrote to memory of 1864	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	schtasks.exe
PID 672 wrote to memory of 1708	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1708	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1708	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1708	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1708	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1708	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1708	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1456	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1456	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1456	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1456	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1456	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1456	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1456	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1456	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1456	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1456	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1456	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe
PID 672 wrote to memory of 1456	672	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iRqvNpf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD5D6.tmp"
2⤵
- Creates scheduled task(s)
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD5D6.tmp
Filesize
1KB

MD5
7b76c6e481e0c1d0d338e4837612989a

SHA1
223690eefdc5a228861145bda82c9623e785a4b0

SHA256
30caff9c38e45c461b60cac9cae3b5438129ef2fe723d7a7700889f9b7f6714a

SHA512
9b737c822d2cce7e5c90adc25f0e3fd7d91bb1b964dfb269c7e6fe94fa620ef51e4c912d69b294e8aab5566ed0a5926c68626bcac1a0906e01935c6941f938c4

Download Submit
memory/672-57-0x0000000005460000-0x000000000551E000-memory.dmp

Filesize
760KB

Download
memory/672-55-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/672-54-0x0000000000910000-0x0000000000A06000-memory.dmp

Filesize
984KB

Download
memory/672-58-0x0000000005390000-0x000000000540C000-memory.dmp

Filesize
496KB

Download
memory/672-56-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1456-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1456-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1456-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1456-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1456-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1456-67-0x0000000000437C1E-mapping.dmp

Download
memory/1456-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1456-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1864-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads