agenttesla | c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef

General

Target

c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe
Size

966KB
MD5

f680cc7dbd073f135b1000fa9221c1a3
SHA1

5dcc545fc1575a700b9b47084a70722c18d7e508
SHA256

c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef
SHA512

88711a963462f8e437e03e7ad786bff9b1635b8c8a89abebf82d1a255d24906b738dab53a0bd8e4ed5a9d9085f6ef350e5f4d44a639ead2ef72cbc2ab8422b61
SSDEEP

12288:SpF4WDE6LoMbKAn6wRt+50pt78pUC8an8pUC8a4h1q9g19QQE7sRvp73yHHKCZa6:StoMbKK3Z8N8q1q9gYQE7sh5CnKCZH

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
TvNyBPp9212

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1840-63-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1840-64-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1840-65-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1840-66-0x000000000043763E-mapping.dmp	family_agenttesla
behavioral1/memory/1840-68-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1840-70-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe

description	pid	process	target process
PID 2016 set thread context of 1840	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1508 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

1840 RegSvcs.exe
1840 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1840 RegSvcs.exe

pid	process
1508	schtasks.exe

pid	process
1840	RegSvcs.exe
1840	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1840	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe

description	pid	process	target process
PID 2016 wrote to memory of 1508	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	schtasks.exe
PID 2016 wrote to memory of 1508	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	schtasks.exe
PID 2016 wrote to memory of 1508	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	schtasks.exe
PID 2016 wrote to memory of 1508	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	schtasks.exe
PID 2016 wrote to memory of 1840	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	RegSvcs.exe
PID 2016 wrote to memory of 1840	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	RegSvcs.exe
PID 2016 wrote to memory of 1840	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	RegSvcs.exe
PID 2016 wrote to memory of 1840	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	RegSvcs.exe
PID 2016 wrote to memory of 1840	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	RegSvcs.exe
PID 2016 wrote to memory of 1840	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	RegSvcs.exe
PID 2016 wrote to memory of 1840	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	RegSvcs.exe
PID 2016 wrote to memory of 1840	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	RegSvcs.exe
PID 2016 wrote to memory of 1840	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	RegSvcs.exe
PID 2016 wrote to memory of 1840	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	RegSvcs.exe
PID 2016 wrote to memory of 1840	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	RegSvcs.exe
PID 2016 wrote to memory of 1840	2016	c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe
"C:\Users\Admin\AppData\Local\Temp\c5b473122b5ec75934213b8a425f168c924f3b4280f58bff452f5e135c79f3ef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fvdcUpHdOBv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB848.tmp"
2⤵
- Creates scheduled task(s)
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB848.tmp

Filesize
1KB

MD5
16974b87105040c1a70389921620db82

SHA1
ee3e07dc0145b523099ce866d0021946ac5eefbe

SHA256
76addded63f273e63d327c70fb0022c42a0a93b4b2aeff777641be5a99d24ac4

SHA512
21d22638894e5cee1433d6b66cb81cbe323cd915ecffdcb961a597144489d7782f869478d7096e0a1bdffc539a74229083262b38e6b2b7273a9fe2d3310de86e

Download Submit
memory/1508-58-0x0000000000000000-mapping.dmp

Download
memory/1840-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1840-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1840-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1840-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1840-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1840-66-0x000000000043763E-mapping.dmp

Download
memory/1840-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1840-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2016-57-0x0000000005100000-0x000000000516C000-memory.dmp

Filesize
432KB

Download
memory/2016-56-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2016-55-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/2016-54-0x0000000000FB0000-0x00000000010A8000-memory.dmp

Filesize
992KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads