agenttesla | 0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069

General

Target

0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe
Size

708KB
MD5

3973d65313ddda73d13f1d170e7a42af
SHA1

c5afa670719fcf48dfd5552925e184a3ba227d4b
SHA256

0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069
SHA512

cae564d0703e49b2613dbeff0ec1be1a796e092283b2e4db3663e53a66a71d3247a09b8424af5d1173262992a09b744ac475e50d3ceb7546917d83f4645e21dd
SSDEEP

12288:wBXa5k7Tu3XDG2KtsL+qqE1fB6KMebd7O5gwdezYJHTyU6rs47sdiGlmJb:Ma5S4G2KtA+uNMWdiawMkzXus47sIGlg

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.personaltrade.by
Port:
587
Username:
[email protected]
Password:
Leto!Leto1

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe

description	pid	process	target process
PID 852 set thread context of 1540	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1516 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1576 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1576 powershell.exe

pid	process
1516	schtasks.exe

pid	process
1576	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1576	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe

description	pid	process	target process
PID 852 wrote to memory of 1576	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	powershell.exe
PID 852 wrote to memory of 1576	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	powershell.exe
PID 852 wrote to memory of 1576	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	powershell.exe
PID 852 wrote to memory of 1576	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	powershell.exe
PID 852 wrote to memory of 1516	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	schtasks.exe
PID 852 wrote to memory of 1516	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	schtasks.exe
PID 852 wrote to memory of 1516	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	schtasks.exe
PID 852 wrote to memory of 1516	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	schtasks.exe
PID 852 wrote to memory of 1540	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe
PID 852 wrote to memory of 1540	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe
PID 852 wrote to memory of 1540	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe
PID 852 wrote to memory of 1540	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe
PID 852 wrote to memory of 1540	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe
PID 852 wrote to memory of 1540	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe
PID 852 wrote to memory of 1540	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe
PID 852 wrote to memory of 1540	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe
PID 852 wrote to memory of 1540	852	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe	0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe

C:\Users\Admin\AppData\Local\Temp\0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe
"C:\Users\Admin\AppData\Local\Temp\0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ptaFgcL.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ptaFgcL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE9A5.tmp"
2⤵
- Creates scheduled task(s)
PID:1516

C:\Users\Admin\AppData\Local\Temp\0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe
"C:\Users\Admin\AppData\Local\Temp\0927ab46092b483d9ff5546e54de2b907d36287fd2ca1c7450eae9f77f680069.exe"
2⤵
PID:1540

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE9A5.tmp
Filesize
1KB

MD5
c398b3fe679178e6a72d431f65983326

SHA1
68f38b7db9b3fd0053e51975a5741c64d311d799

SHA256
0afc5e1cdf5fa666cff33f7b41062330178ac4d76c4534259d5d60bd1667bddc

SHA512
5d8388387937e43b264adcbcb436aeabfcd5680fd10b9c83ad9693b0e6146701127e48c69b3d619e94044a4a440237a299a47b75365911d36c4ed16f2a62f81e

Download Submit
memory/852-65-0x0000000005060000-0x000000000509C000-memory.dmp

Filesize
240KB

Download
memory/852-55-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download
memory/852-56-0x0000000000440000-0x000000000045A000-memory.dmp

Filesize
104KB

Download
memory/852-57-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/852-58-0x00000000051D0000-0x000000000525A000-memory.dmp

Filesize
552KB

Download
memory/852-54-0x0000000010290000-0x0000000010344000-memory.dmp

Filesize
720KB

Download
memory/1516-60-0x0000000000000000-mapping.dmp

Download
memory/1540-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1540-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1540-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1540-72-0x0000000000435DDE-mapping.dmp

Download
memory/1540-71-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1540-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1540-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1540-76-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1576-64-0x000000006ED40000-0x000000006F2EB000-memory.dmp

Filesize
5.7MB

Download
memory/1576-63-0x000000006ED40000-0x000000006F2EB000-memory.dmp

Filesize
5.7MB

Download
memory/1576-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads