agenttesla | 7f9dbb80b521659c42f8ea8199a508f454a5ebe4a7960f90c15f1f1f9f4f471a

General

Target

overdue invoice pdf.exe
Size

847KB
MD5

a3976a8131593cd5f257e1609cba021c
SHA1

1e761268105bc1613d697d9941447c3241463029
SHA256

0f350d7a72e30d6fa7234e953e127b426ffabb6960446a90a53d6c0dd6392138
SHA512

d8b5c3b2d39b1fe89a5db1fc273527c163ebac5f2933799cc279b76def0eecd7e3047bb29b0b7c9feb6b6fe92ca8d302e52cd277da08f07f75f1676d0dac75eb
SSDEEP

12288:LUVv25w+n42d1mbTzFgaJmv3xnPBtDPLd4o8wTrQ2lIC6swoeXGkDkNMw+gtYaIS:LdcBmvxLLFHIvtXGkDkSwvYmZf

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.vpindustries.co.in
Port:
587
Username:
[email protected]
Password:
saleS*9988
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\RdYoK = "C:\\Users\\Admin\\AppData\\Roaming\\RdYoK\\RdYoK.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 2288	2220	overdue invoice pdf.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2952	powershell.exe
2920	powershell.exe
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2220	overdue invoice pdf.exe
2288	RegSvcs.exe
2288	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	overdue invoice pdf.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2288	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2920	2220	overdue invoice pdf.exe	30
PID 2220 wrote to memory of 2920	2220	overdue invoice pdf.exe	30
PID 2220 wrote to memory of 2920	2220	overdue invoice pdf.exe	30
PID 2220 wrote to memory of 2920	2220	overdue invoice pdf.exe	30
PID 2220 wrote to memory of 2952	2220	overdue invoice pdf.exe	32
PID 2220 wrote to memory of 2952	2220	overdue invoice pdf.exe	32
PID 2220 wrote to memory of 2952	2220	overdue invoice pdf.exe	32
PID 2220 wrote to memory of 2952	2220	overdue invoice pdf.exe	32
PID 2220 wrote to memory of 2944	2220	overdue invoice pdf.exe	34
PID 2220 wrote to memory of 2944	2220	overdue invoice pdf.exe	34
PID 2220 wrote to memory of 2944	2220	overdue invoice pdf.exe	34
PID 2220 wrote to memory of 2944	2220	overdue invoice pdf.exe	34
PID 2220 wrote to memory of 2288	2220	overdue invoice pdf.exe	36
PID 2220 wrote to memory of 2288	2220	overdue invoice pdf.exe	36
PID 2220 wrote to memory of 2288	2220	overdue invoice pdf.exe	36
PID 2220 wrote to memory of 2288	2220	overdue invoice pdf.exe	36
PID 2220 wrote to memory of 2288	2220	overdue invoice pdf.exe	36
PID 2220 wrote to memory of 2288	2220	overdue invoice pdf.exe	36
PID 2220 wrote to memory of 2288	2220	overdue invoice pdf.exe	36
PID 2220 wrote to memory of 2288	2220	overdue invoice pdf.exe	36
PID 2220 wrote to memory of 2288	2220	overdue invoice pdf.exe	36
PID 2220 wrote to memory of 2288	2220	overdue invoice pdf.exe	36
PID 2220 wrote to memory of 2288	2220	overdue invoice pdf.exe	36
PID 2220 wrote to memory of 2288	2220	overdue invoice pdf.exe	36

C:\Users\Admin\AppData\Local\Temp\overdue invoice pdf.exe
"C:\Users\Admin\AppData\Local\Temp\overdue invoice pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\overdue invoice pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\artlkRu.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\artlkRu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2194.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2194.tmp

Filesize
1KB

MD5
320d45cca1dca26e81dbf646cc4f9b59

SHA1
ae18ca1f4a7ddf28589ebb7f8b9dbea0f459d620

SHA256
d96ecd8b1b7bc5bcf547ce0480b1af748fbd370524140eb0f5a999add23bd885

SHA512
50c3ee98cf730907f9d9b3a20b9e15c7b3a38e52636e6e8054e36faa0bb79aa444f3790aabbcdeae52d8abca795d759f35963d322adbdd2a766f3502ecaeac55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J2DB8P6FGAY8DCYWOAZ7.temp

Filesize
7KB

MD5
9cc6dd1e13e517bacee806ab89d78659

SHA1
f6cb0d37e99b7230e317c409cdba8426e972bbef

SHA256
4cb757aebad29c46df56fa728df75ee97e26c3f854ae32173f1f6e873e56d340

SHA512
e071137785e6c838ca38a9329da73ca1b1d0fd7060bd6af9001df79a713a51b0dc4408d452fceac92f003fc6df85c7ed0dedb915c57e998cac627aef58dbb486

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9cc6dd1e13e517bacee806ab89d78659

SHA1
f6cb0d37e99b7230e317c409cdba8426e972bbef

SHA256
4cb757aebad29c46df56fa728df75ee97e26c3f854ae32173f1f6e873e56d340

SHA512
e071137785e6c838ca38a9329da73ca1b1d0fd7060bd6af9001df79a713a51b0dc4408d452fceac92f003fc6df85c7ed0dedb915c57e998cac627aef58dbb486

Download Submit
memory/2220-0-0x0000000000340000-0x0000000000418000-memory.dmp

Filesize
864KB

Download
memory/2220-1-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-2-0x0000000001ED0000-0x0000000001F10000-memory.dmp

Filesize
256KB

Download
memory/2220-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2220-4-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-5-0x0000000001ED0000-0x0000000001F10000-memory.dmp

Filesize
256KB

Download
memory/2220-6-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/2220-7-0x0000000005E30000-0x0000000005EAC000-memory.dmp

Filesize
496KB

Download
memory/2220-46-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2288-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2288-50-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2288-42-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2288-49-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2288-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2288-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2288-47-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2288-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2288-45-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2920-35-0x000000006DA30000-0x000000006DFDB000-memory.dmp

Filesize
5.7MB

Download
memory/2920-20-0x000000006DA30000-0x000000006DFDB000-memory.dmp

Filesize
5.7MB

Download
memory/2920-22-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download
memory/2920-27-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download
memory/2920-24-0x000000006DA30000-0x000000006DFDB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-25-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/2952-34-0x000000006DA30000-0x000000006DFDB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-32-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/2952-31-0x000000006DA30000-0x000000006DFDB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-21-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/2952-23-0x000000006DA30000-0x000000006DFDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads