agenttesla | 523827d0143781d5e1124ddcc75eaed873f190f255497217ef2f61a5714fedb8

Analysis

max time kernel
245s
max time network
237s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVOICE SHIPPING-PACKING LIST.exe
Size

492KB
MD5

6f793265d64232cda59fc43f2f7b120d
SHA1

7a5aebb953f37e9b2f4f7ba0c9c19c945a7d808b
SHA256

523827d0143781d5e1124ddcc75eaed873f190f255497217ef2f61a5714fedb8
SHA512

bbbacbc4695e7088564cf85974b3ddf5aa6e3bdbc3fea8f8538ec4fa79c8e8ffeb62b3e3b59831da8aefb3be9b9e8c71d8d4b1b33ad7fae307e3356612b7e24f
SSDEEP

12288:6XT5OxeW3QRu0ApGptvXqXuRfaFhgOo7zcyv:6XdOxeYGu0ApGpB+OvD

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

mtsotp.exemtsotp.exe

pid process

4772 mtsotp.exe
4292 mtsotp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

mtsotp.exe

description pid process target process

PID 4772 set thread context of 4292 4772 mtsotp.exe mtsotp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mtsotp.exe

pid process

4292 mtsotp.exe
4292 mtsotp.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

mtsotp.exe

pid process

4772 mtsotp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

mtsotp.exe

description pid process

Token: SeDebugPrivilege 4292 mtsotp.exe

pid	process
4772	mtsotp.exe
4292	mtsotp.exe

description	pid	process	target process
PID 4772 set thread context of 4292	4772	mtsotp.exe	mtsotp.exe

pid	process
4292	mtsotp.exe
4292	mtsotp.exe

pid	process
4772	mtsotp.exe

description	pid	process
Token: SeDebugPrivilege	4292	mtsotp.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

INVOICE SHIPPING-PACKING LIST.exemtsotp.exe

description	pid	process	target process
PID 452 wrote to memory of 4772	452	INVOICE SHIPPING-PACKING LIST.exe	mtsotp.exe
PID 452 wrote to memory of 4772	452	INVOICE SHIPPING-PACKING LIST.exe	mtsotp.exe
PID 452 wrote to memory of 4772	452	INVOICE SHIPPING-PACKING LIST.exe	mtsotp.exe
PID 4772 wrote to memory of 4292	4772	mtsotp.exe	mtsotp.exe
PID 4772 wrote to memory of 4292	4772	mtsotp.exe	mtsotp.exe
PID 4772 wrote to memory of 4292	4772	mtsotp.exe	mtsotp.exe
PID 4772 wrote to memory of 4292	4772	mtsotp.exe	mtsotp.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE SHIPPING-PACKING LIST.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE SHIPPING-PACKING LIST.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\Temp\mtsotp.exe
"C:\Users\Admin\AppData\Local\Temp\mtsotp.exe" C:\Users\Admin\AppData\Local\Temp\lwqfquz.nc
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Local\Temp\mtsotp.exe
"C:\Users\Admin\AppData\Local\Temp\mtsotp.exe" C:\Users\Admin\AppData\Local\Temp\lwqfquz.nc
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bzpeuniie.p
Filesize
295KB

MD5
496f336ad96ed901757199597ed29a8d

SHA1
09e89adc879aeeca2ac5bb5086a40f9bc83554b4

SHA256
07ed4dc2c1cd067c5dab0e8cc252a82b0c305eecce40f25052e06f128bed9ee0

SHA512
5b1778b4c919bf4858e85f25cad2fcbaca727444ee1cefa79d2dc698e1a7cbf8fab8e35c2512744ed6f46104ab14879ae74a031fce242250d47164ce79c2b15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwqfquz.nc
Filesize
5KB

MD5
7eb0a236fb43d768410e5c3bb95611a6

SHA1
7f8a16b509031827c9a3be00b09c8ba123deb46f

SHA256
7613f2f3548b9188683477673897e90ccde6555b20970d1bf960e93d36d0566d

SHA512
d077c4db043e0eda5f6e2056a43ba936c1c4b237f472793d85804665a98029e0f162d100d2935d2eb3a902be8b3c2b71a00e8b4505f3f7b2ed8411ad05d66a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtsotp.exe
Filesize
332KB

MD5
448629f713a637632bc9b73f52a1a742

SHA1
6f0edc468fc0f658c75c7177a01091350e0c3ccd

SHA256
bd797011bcb6d0aa6b743badc1305634fe000e4ace72b812f4346d3994643d39

SHA512
e941740338fce359fd87dd25eab3a55c335ad1dd358e9352420a695d202a6f541dbf7531f59de40d61cadba688df0916fcb5aade5b80d54b817e5138731886d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtsotp.exe
Filesize
332KB

MD5
448629f713a637632bc9b73f52a1a742

SHA1
6f0edc468fc0f658c75c7177a01091350e0c3ccd

SHA256
bd797011bcb6d0aa6b743badc1305634fe000e4ace72b812f4346d3994643d39

SHA512
e941740338fce359fd87dd25eab3a55c335ad1dd358e9352420a695d202a6f541dbf7531f59de40d61cadba688df0916fcb5aade5b80d54b817e5138731886d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtsotp.exe
Filesize
332KB

MD5
448629f713a637632bc9b73f52a1a742

SHA1
6f0edc468fc0f658c75c7177a01091350e0c3ccd

SHA256
bd797011bcb6d0aa6b743badc1305634fe000e4ace72b812f4346d3994643d39

SHA512
e941740338fce359fd87dd25eab3a55c335ad1dd358e9352420a695d202a6f541dbf7531f59de40d61cadba688df0916fcb5aade5b80d54b817e5138731886d1

Download Submit
memory/4292-137-0x0000000000000000-mapping.dmp

Download
memory/4292-139-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4292-140-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/4292-141-0x0000000005200000-0x000000000529C000-memory.dmp

Filesize
624KB

Download
memory/4292-142-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/4772-132-0x0000000000000000-mapping.dmp

Download