agenttesla | 8f5b224a8a1dabf0544800d7667a3aa5fc0e2d65c580f047a496f349cfcf332b

General

Target

INV and NOA.exe
Size

914KB
MD5

eece97d66f499d5bc467b57dc23fd6aa
SHA1

cfd55a1a6de54a074c202169e2d1a050727ead6c
SHA256

b33ad8c19c7d05ef5e089aee474e1c596787329a41323be0ca7401186402ce22
SHA512

ce17d7659d8220ada495ae64e7cf6c63d1f44a462320bab18a50df1009de94e7b9101f54f22ffd4d00788b6a408a189d7c7f54c5c5147abb0e8e7e796fd737e4
SSDEEP

24576:36U376CNSebh0qxoRaDXx3CQbk1vYKtSBObztIskFgqIyX:3TXh0q3zxNbcztIObznkVX

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.southernboilers.org
Port:
587
Username:
[email protected]
Password:
Sksmoke2018#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

INV and NOA.exe

description pid process target process

PID 1248 set thread context of 1592 1248 INV and NOA.exe INV and NOA.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1712 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

INV and NOA.exeINV and NOA.exe

pid process

1248 INV and NOA.exe
1592 INV and NOA.exe
1592 INV and NOA.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

INV and NOA.exeINV and NOA.exe

description pid process

Token: SeDebugPrivilege 1248 INV and NOA.exe
Token: SeDebugPrivilege 1592 INV and NOA.exe

description	pid	process	target process
PID 1248 set thread context of 1592	1248	INV and NOA.exe	INV and NOA.exe

pid	process
1712	schtasks.exe

pid	process
1248	INV and NOA.exe
1592	INV and NOA.exe
1592	INV and NOA.exe

description	pid	process
Token: SeDebugPrivilege	1248	INV and NOA.exe
Token: SeDebugPrivilege	1592	INV and NOA.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

INV and NOA.exe

description	pid	process	target process
PID 1248 wrote to memory of 1712	1248	INV and NOA.exe	schtasks.exe
PID 1248 wrote to memory of 1712	1248	INV and NOA.exe	schtasks.exe
PID 1248 wrote to memory of 1712	1248	INV and NOA.exe	schtasks.exe
PID 1248 wrote to memory of 1712	1248	INV and NOA.exe	schtasks.exe
PID 1248 wrote to memory of 1592	1248	INV and NOA.exe	INV and NOA.exe
PID 1248 wrote to memory of 1592	1248	INV and NOA.exe	INV and NOA.exe
PID 1248 wrote to memory of 1592	1248	INV and NOA.exe	INV and NOA.exe
PID 1248 wrote to memory of 1592	1248	INV and NOA.exe	INV and NOA.exe
PID 1248 wrote to memory of 1592	1248	INV and NOA.exe	INV and NOA.exe
PID 1248 wrote to memory of 1592	1248	INV and NOA.exe	INV and NOA.exe
PID 1248 wrote to memory of 1592	1248	INV and NOA.exe	INV and NOA.exe
PID 1248 wrote to memory of 1592	1248	INV and NOA.exe	INV and NOA.exe
PID 1248 wrote to memory of 1592	1248	INV and NOA.exe	INV and NOA.exe

C:\Users\Admin\AppData\Local\Temp\INV and NOA.exe
"C:\Users\Admin\AppData\Local\Temp\INV and NOA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TrorzNZhIKQsi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F4E.tmp"
2⤵
- Creates scheduled task(s)
PID:1712

C:\Users\Admin\AppData\Local\Temp\INV and NOA.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7F4E.tmp
Filesize
1KB

MD5
76d6131d2cea7630e586fc11ae3294b1

SHA1
4cca1bc3399515814d4002fceb2ef6dcb160a758

SHA256
304a205008336709795fb3543e43c92d198a682977da66a62939c4012d33d3a9

SHA512
38bac1bf2c82772c9c84604921ce347d27cee99baeff9492a19ef6ed3a16365f5d16f65730c56000872c80935b7ad7e541d8d523f8b33bf97e1044a9d51afa68

Download Submit
memory/1248-57-0x0000000004EF0000-0x0000000004FB2000-memory.dmp

Filesize
776KB

Download
memory/1248-55-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1248-54-0x0000000000A50000-0x0000000000B3A000-memory.dmp

Filesize
936KB

Download
memory/1248-58-0x0000000004FB0000-0x000000000502C000-memory.dmp

Filesize
496KB

Download
memory/1248-56-0x0000000000930000-0x0000000000942000-memory.dmp

Filesize
72KB

Download
memory/1592-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1592-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1592-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1592-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1592-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1592-67-0x0000000000437B8E-mapping.dmp

Download
memory/1592-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1592-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads