agenttesla | 32bd5e6ae241a016f718e4ae16a189b40d3eb72c497eedd03a44299e5654644a

Analysis

max time kernel
254s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INV and NOA.exe
Size

668KB
MD5

9efabcfe6bfbfa5dda90ad4dc5894040
SHA1

07c7cdac9aa0658d374331c4b35a9d0190eadbee
SHA256

05472a071f902b974d4ce0d2e605058580f86ab1ad7b6c201c6f9b38608c9b4d
SHA512

bae5eb2fb1dcb683ccab5b4c5f6857ffe300b1719378050e5aab1f97e0c748dbbb5abe91b32cbe8aea3615069f0903a376310ad68ad4ad60d80f1933100e0855
SSDEEP

12288:wFkzrbETClCHskFgFwIyXCDP0SLZigmxSuhnlYiAEt+Ccf8r2Yt93cr:Z76CIskFgqIyXyLOLHbAA+Ccfkg

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.southernboilers.org
Port:
587
Username:
info@southernboilers.org
Password:
Sksmoke2018#
Email To:
obtxxxtf@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

INV and NOA.exe

description pid process target process

PID 580 set thread context of 1716 580 INV and NOA.exe INV and NOA.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1812 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

INV and NOA.exe

pid process

580 INV and NOA.exe
580 INV and NOA.exe
580 INV and NOA.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

INV and NOA.exe

description pid process

Token: SeDebugPrivilege 580 INV and NOA.exe

description	pid	process	target process
PID 580 set thread context of 1716	580	INV and NOA.exe	INV and NOA.exe

pid	process
1812	schtasks.exe

pid	process
580	INV and NOA.exe
580	INV and NOA.exe
580	INV and NOA.exe

description	pid	process
Token: SeDebugPrivilege	580	INV and NOA.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

INV and NOA.exe

description	pid	process	target process
PID 580 wrote to memory of 1812	580	INV and NOA.exe	schtasks.exe
PID 580 wrote to memory of 1812	580	INV and NOA.exe	schtasks.exe
PID 580 wrote to memory of 1812	580	INV and NOA.exe	schtasks.exe
PID 580 wrote to memory of 1812	580	INV and NOA.exe	schtasks.exe
PID 580 wrote to memory of 1716	580	INV and NOA.exe	INV and NOA.exe
PID 580 wrote to memory of 1716	580	INV and NOA.exe	INV and NOA.exe
PID 580 wrote to memory of 1716	580	INV and NOA.exe	INV and NOA.exe
PID 580 wrote to memory of 1716	580	INV and NOA.exe	INV and NOA.exe
PID 580 wrote to memory of 1716	580	INV and NOA.exe	INV and NOA.exe
PID 580 wrote to memory of 1716	580	INV and NOA.exe	INV and NOA.exe
PID 580 wrote to memory of 1716	580	INV and NOA.exe	INV and NOA.exe
PID 580 wrote to memory of 1716	580	INV and NOA.exe	INV and NOA.exe
PID 580 wrote to memory of 1716	580	INV and NOA.exe	INV and NOA.exe

C:\Users\Admin\AppData\Local\Temp\INV and NOA.exe
"C:\Users\Admin\AppData\Local\Temp\INV and NOA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNSzlHrvsnPyrx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp29A1.tmp"
2⤵
- Creates scheduled task(s)
PID:1812

C:\Users\Admin\AppData\Local\Temp\INV and NOA.exe
"{path}"
2⤵
PID:1716

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp29A1.tmp
Filesize
1KB

MD5
4e6fed192f88fbbcd7676b8409adf517

SHA1
fc846261801a4feb2bebd3257946d4767e7ab268

SHA256
b98ead25cd5cb114e3603a9264e12c45f6a9774014aefec945b6e29a48da4fdd

SHA512
743169b1c128c9dae816c3462c343dafebbf05b1b8a4b04f07b213d2e794b0bea49b87474c50387a6973c86a6e0c2400c9c2cca439c6c21c1619433cf1b68291

Download Submit
memory/580-57-0x0000000005590000-0x0000000005612000-memory.dmp

Filesize
520KB

Download
memory/580-55-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/580-54-0x00000000012C0000-0x000000000136E000-memory.dmp

Filesize
696KB

Download
memory/580-58-0x0000000000490000-0x00000000004CC000-memory.dmp

Filesize
240KB

Download
memory/580-56-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/1716-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-67-0x0000000000437B8E-mapping.dmp

Download
memory/1716-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1812-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads