agenttesla | 906862566ff536f68dfc49a60c3894d4d74067544227570c13cd2f1a3e21b78f

General

Target

INVOICE AND PARKING LIST.exe
Size

668KB
MD5

9efabcfe6bfbfa5dda90ad4dc5894040
SHA1

07c7cdac9aa0658d374331c4b35a9d0190eadbee
SHA256

05472a071f902b974d4ce0d2e605058580f86ab1ad7b6c201c6f9b38608c9b4d
SHA512

bae5eb2fb1dcb683ccab5b4c5f6857ffe300b1719378050e5aab1f97e0c748dbbb5abe91b32cbe8aea3615069f0903a376310ad68ad4ad60d80f1933100e0855
SSDEEP

12288:wFkzrbETClCHskFgFwIyXCDP0SLZigmxSuhnlYiAEt+Ccf8r2Yt93cr:Z76CIskFgqIyXyLOLHbAA+Ccfkg

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.southernboilers.org
Port:
587
Username:
info@southernboilers.org
Password:
Sksmoke2018#
Email To:
obtxxxtf@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

INVOICE AND PARKING LIST.exe

description pid process target process

PID 892 set thread context of 1984 892 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

576 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

INVOICE AND PARKING LIST.exe

pid process

1984 INVOICE AND PARKING LIST.exe
1984 INVOICE AND PARKING LIST.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

INVOICE AND PARKING LIST.exeINVOICE AND PARKING LIST.exe

description pid process

Token: SeDebugPrivilege 892 INVOICE AND PARKING LIST.exe
Token: SeDebugPrivilege 1984 INVOICE AND PARKING LIST.exe

description	pid	process	target process
PID 892 set thread context of 1984	892	INVOICE AND PARKING LIST.exe	INVOICE AND PARKING LIST.exe

pid	process
576	schtasks.exe

pid	process
1984	INVOICE AND PARKING LIST.exe
1984	INVOICE AND PARKING LIST.exe

description	pid	process
Token: SeDebugPrivilege	892	INVOICE AND PARKING LIST.exe
Token: SeDebugPrivilege	1984	INVOICE AND PARKING LIST.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

INVOICE AND PARKING LIST.exe

description	pid	process	target process
PID 892 wrote to memory of 576	892	INVOICE AND PARKING LIST.exe	schtasks.exe
PID 892 wrote to memory of 576	892	INVOICE AND PARKING LIST.exe	schtasks.exe
PID 892 wrote to memory of 576	892	INVOICE AND PARKING LIST.exe	schtasks.exe
PID 892 wrote to memory of 576	892	INVOICE AND PARKING LIST.exe	schtasks.exe
PID 892 wrote to memory of 1984	892	INVOICE AND PARKING LIST.exe	INVOICE AND PARKING LIST.exe
PID 892 wrote to memory of 1984	892	INVOICE AND PARKING LIST.exe	INVOICE AND PARKING LIST.exe
PID 892 wrote to memory of 1984	892	INVOICE AND PARKING LIST.exe	INVOICE AND PARKING LIST.exe
PID 892 wrote to memory of 1984	892	INVOICE AND PARKING LIST.exe	INVOICE AND PARKING LIST.exe
PID 892 wrote to memory of 1984	892	INVOICE AND PARKING LIST.exe	INVOICE AND PARKING LIST.exe
PID 892 wrote to memory of 1984	892	INVOICE AND PARKING LIST.exe	INVOICE AND PARKING LIST.exe
PID 892 wrote to memory of 1984	892	INVOICE AND PARKING LIST.exe	INVOICE AND PARKING LIST.exe
PID 892 wrote to memory of 1984	892	INVOICE AND PARKING LIST.exe	INVOICE AND PARKING LIST.exe
PID 892 wrote to memory of 1984	892	INVOICE AND PARKING LIST.exe	INVOICE AND PARKING LIST.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE AND PARKING LIST.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE AND PARKING LIST.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNSzlHrvsnPyrx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3035.tmp"
2⤵
- Creates scheduled task(s)
PID:576

C:\Users\Admin\AppData\Local\Temp\INVOICE AND PARKING LIST.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3035.tmp
Filesize
1KB

MD5
4e6fed192f88fbbcd7676b8409adf517

SHA1
fc846261801a4feb2bebd3257946d4767e7ab268

SHA256
b98ead25cd5cb114e3603a9264e12c45f6a9774014aefec945b6e29a48da4fdd

SHA512
743169b1c128c9dae816c3462c343dafebbf05b1b8a4b04f07b213d2e794b0bea49b87474c50387a6973c86a6e0c2400c9c2cca439c6c21c1619433cf1b68291

Download Submit
memory/576-59-0x0000000000000000-mapping.dmp

Download
memory/892-57-0x0000000005440000-0x00000000054C2000-memory.dmp

Filesize
520KB

Download
memory/892-54-0x0000000000CE0000-0x0000000000D8E000-memory.dmp

Filesize
696KB

Download
memory/892-58-0x0000000000AD0000-0x0000000000B0C000-memory.dmp

Filesize
240KB

Download
memory/892-56-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/892-55-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download
memory/1984-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-67-0x0000000000437B8E-mapping.dmp

Download
memory/1984-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads