agenttesla | 7c042716cacb46c8c1a105fd13ceb1093f20d28c869623c4d2236805876a9f1d

Analysis

max time kernel
230s
max time network
333s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
08-12-2022 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA.exe
Size

1003KB
MD5

9cebcfb64b5db38123a7fb8a343a0f9e
SHA1

12bd9e27c6f82790176859474e80c344a215d363
SHA256

7c042716cacb46c8c1a105fd13ceb1093f20d28c869623c4d2236805876a9f1d
SHA512

0361802f5ba60f763dea61ab823aed0f2e8baf82cc5f636ce7aaa5b725b00487289131ffb143f0c5715e15385ffda7496d513ff2b3182bf52c9db7bb04ce0cb8
SSDEEP

24576:PHAKIvXxgi1lb9D1rlpF6DZE+VmtzhSHDvRjK7U:/pU6K3lnQdmrWl

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

SOA.exe

description pid process target process

PID 872 set thread context of 1888 872 SOA.exe SOA.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1708 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

SOA.exeSOA.exe

pid process

872 SOA.exe
1888 SOA.exe
1888 SOA.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SOA.exeSOA.exe

description pid process

Token: SeDebugPrivilege 872 SOA.exe
Token: SeDebugPrivilege 1888 SOA.exe

description	pid	process	target process
PID 872 set thread context of 1888	872	SOA.exe	SOA.exe

pid	process
1708	schtasks.exe

pid	process
872	SOA.exe
1888	SOA.exe
1888	SOA.exe

description	pid	process
Token: SeDebugPrivilege	872	SOA.exe
Token: SeDebugPrivilege	1888	SOA.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

SOA.exe

description	pid	process	target process
PID 872 wrote to memory of 1708	872	SOA.exe	schtasks.exe
PID 872 wrote to memory of 1708	872	SOA.exe	schtasks.exe
PID 872 wrote to memory of 1708	872	SOA.exe	schtasks.exe
PID 872 wrote to memory of 1708	872	SOA.exe	schtasks.exe
PID 872 wrote to memory of 1888	872	SOA.exe	SOA.exe
PID 872 wrote to memory of 1888	872	SOA.exe	SOA.exe
PID 872 wrote to memory of 1888	872	SOA.exe	SOA.exe
PID 872 wrote to memory of 1888	872	SOA.exe	SOA.exe
PID 872 wrote to memory of 1888	872	SOA.exe	SOA.exe
PID 872 wrote to memory of 1888	872	SOA.exe	SOA.exe
PID 872 wrote to memory of 1888	872	SOA.exe	SOA.exe
PID 872 wrote to memory of 1888	872	SOA.exe	SOA.exe
PID 872 wrote to memory of 1888	872	SOA.exe	SOA.exe

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XasLYnYY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB127.tmp"
2⤵
- Creates scheduled task(s)
PID:1708

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB127.tmp

Filesize
1KB

MD5
557e5101f0bf641e886eb2c3e9b82e33

SHA1
71da8fb416bfcc30ccfa91b3361dd841e16c4542

SHA256
393406a59a4224675480dbf1384b173be9e91b629b0fbf21e09f0a9bc634a161

SHA512
7503cc31f849c6fc1b9861fe1aab0a4971cc9e1d5aac5b61bf6a22bd89109516cc21100b78a224d5613303aba544b35d9219b2b9ac42aba4e4cf459d2370d57f

Download Submit
memory/872-57-0x00000000054C0000-0x0000000005558000-memory.dmp

Filesize
608KB

Download
memory/872-56-0x00000000001F0000-0x0000000000202000-memory.dmp

Filesize
72KB

Download
memory/872-54-0x0000000001340000-0x0000000001442000-memory.dmp

Filesize
1.0MB

Download
memory/872-58-0x0000000000B10000-0x0000000000B5C000-memory.dmp

Filesize
304KB

Download
memory/872-55-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1708-59-0x0000000000000000-mapping.dmp

Download
memory/1888-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-67-0x000000000042971E-mapping.dmp

Download
memory/1888-69-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download