agenttesla | c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e

General

Target

c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe
Size

854KB
MD5

747eb842e74c55f1fa64ab96a9c4aa90
SHA1

cb6ea5590f0e82bce6f742716df715d540ac54c5
SHA256

c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e
SHA512

e363a52c7860f9a12bcc5e3f3d82bfab16a8edc35bf871b9d49087d3fd7996bae8dd07bd3c468962eb5b73729e034de30279aaf523ed1e22f176c67d54d33a4a
SSDEEP

24576:VlMSmrqvqQ4Fej+y5ZCENW4mbz9lTrIq:VlMpYGFeySCENW4mbzHTrj

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
host2069.hostmonster.com
Port:
587
Username:
[email protected]
Password:
me!@#!@#!@#!@#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Run\qXYojnj = "C:\\Users\\Admin\\AppData\\Roaming\\qXYojnj\\qXYojnj.exe"	RegSvcs.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 920	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe
1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe
1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe
920	RegSvcs.exe
920	RegSvcs.exe
2948	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe
Token: SeDebugPrivilege	920	RegSvcs.exe
Token: SeDebugPrivilege	2948	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2948	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	30
PID 1700 wrote to memory of 2948	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	30
PID 1700 wrote to memory of 2948	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	30
PID 1700 wrote to memory of 2948	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	30
PID 1700 wrote to memory of 2612	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	32
PID 1700 wrote to memory of 2612	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	32
PID 1700 wrote to memory of 2612	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	32
PID 1700 wrote to memory of 2612	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	32
PID 1700 wrote to memory of 920	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	34
PID 1700 wrote to memory of 920	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	34
PID 1700 wrote to memory of 920	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	34
PID 1700 wrote to memory of 920	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	34
PID 1700 wrote to memory of 920	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	34
PID 1700 wrote to memory of 920	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	34
PID 1700 wrote to memory of 920	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	34
PID 1700 wrote to memory of 920	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	34
PID 1700 wrote to memory of 920	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	34
PID 1700 wrote to memory of 920	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	34
PID 1700 wrote to memory of 920	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	34
PID 1700 wrote to memory of 920	1700	c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe	34

C:\Users\Admin\AppData\Local\Temp\c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe
"C:\Users\Admin\AppData\Local\Temp\c2604dd88fb142816f76e70692ea0fc157d2ebcc654f5c545b2efc075900ce4e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SGaktCAjnDlqh.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SGaktCAjnDlqh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBF69.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBF69.tmp

Filesize
1KB

MD5
194664c3a8188e856581af824bccd2cb

SHA1
f42e0f373af4073dd7d82f49dbe205838ea4db1e

SHA256
3e6773ab1619231cb3d7a64f4db0530a530d2313c04636534ffe1827d8005afb

SHA512
26f640645cd19a7fc7402c99c731cfb16e6eeb954c4d9861cd996184b61291a6fa62a22dffe017f1a422a46a5094ed974effa9ae4be0fac6a1cdd22618290ac9

Download Submit
memory/920-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/920-29-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/920-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/920-35-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/920-27-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/920-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/920-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/920-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/920-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/920-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/920-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1700-5-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/1700-1-0x0000000000B90000-0x0000000000C6C000-memory.dmp

Filesize
880KB

Download
memory/1700-0-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-3-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-2-0x0000000004250000-0x0000000004290000-memory.dmp

Filesize
256KB

Download
memory/1700-6-0x0000000005840000-0x00000000058BC000-memory.dmp

Filesize
496KB

Download
memory/1700-28-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-4-0x00000000006E0000-0x00000000006F4000-memory.dmp

Filesize
80KB

Download
memory/2948-32-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2948-31-0x000000006DB10000-0x000000006E0BB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-33-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2948-34-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2948-30-0x000000006DB10000-0x000000006E0BB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-36-0x000000006DB10000-0x000000006E0BB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-37-0x000000006DB10000-0x000000006E0BB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-38-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2948-40-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2948-41-0x000000006DB10000-0x000000006E0BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads