agenttesla | 9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0

General

Target

9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe
Size

1.1MB
MD5

ff2c9703769899ee498443e36eef9bd5
SHA1

edcd323170bb8f01670842af2123caef11a64967
SHA256

9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0
SHA512

e175aa337070fd7d9b3f8701b6db5bdb042442adb7b252012f4612712bcf3997b667302908b75d68c644e064f0185a29e7319782910530a86f277cfda6b89171
SSDEEP

12288:QbXebp6qWip6qWmFZ+qtO1eOGaMgvHe6+lL07YTVAf:EX4p9Wip9WyWeOGaMg/7+lL0aVg

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.elec-qatar.com
Port:
587
Username:
[email protected]
Password:
MHabrar2019@#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4972 set thread context of 220	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	110

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe
4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe
4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe
4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe
Token: SeDebugPrivilege	220	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 3772	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	106
PID 4972 wrote to memory of 3772	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	106
PID 4972 wrote to memory of 3772	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	106
PID 4972 wrote to memory of 1460	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	108
PID 4972 wrote to memory of 1460	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	108
PID 4972 wrote to memory of 1460	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	108
PID 4972 wrote to memory of 228	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	109
PID 4972 wrote to memory of 228	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	109
PID 4972 wrote to memory of 228	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	109
PID 4972 wrote to memory of 220	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	110
PID 4972 wrote to memory of 220	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	110
PID 4972 wrote to memory of 220	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	110
PID 4972 wrote to memory of 220	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	110
PID 4972 wrote to memory of 220	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	110
PID 4972 wrote to memory of 220	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	110
PID 4972 wrote to memory of 220	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	110
PID 4972 wrote to memory of 220	4972	9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe	110

C:\Users\Admin\AppData\Local\Temp\9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe
"C:\Users\Admin\AppData\Local\Temp\9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GaTKVO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE805.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3772
- C:\Users\Admin\AppData\Local\Temp\9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe
  "{path}"
  2⤵
  PID:1460
- C:\Users\Admin\AppData\Local\Temp\9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe
  "{path}"
  2⤵
  PID:228
- C:\Users\Admin\AppData\Local\Temp\9a5905681d06046a72adfb440fb47f6d1fa02400ba970f214246a328276ac7c0.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE805.tmp

Filesize
1KB

MD5
abfdd8999c3a525740b75fb5fb44bf19

SHA1
d03a986a032fcd17e68693cf71433198c7d1d23c

SHA256
730892aa91d71be205d6ba02ddb247125e233fee8c130b7075e5a58865b3c6e5

SHA512
cbcc36c7f0fe9b3ce19d8f5e0566b0948ca2e29de7cc80187ec1736e33bb1cde22eb6662415d4dd26fb87f240fe51d35be4c07d79991a746d9361dac809e3c23

Download Submit
memory/220-22-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/220-21-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/220-19-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/220-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4972-5-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/4972-12-0x0000000001390000-0x0000000001410000-memory.dmp

Filesize
512KB

Download
memory/4972-7-0x00000000056D0000-0x0000000005726000-memory.dmp

Filesize
344KB

Download
memory/4972-8-0x0000000005730000-0x0000000005A84000-memory.dmp

Filesize
3.3MB

Download
memory/4972-9-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/4972-10-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/4972-11-0x0000000000EA0000-0x0000000000EB4000-memory.dmp

Filesize
80KB

Download
memory/4972-6-0x00000000053B0000-0x00000000053BA000-memory.dmp

Filesize
40KB

Download
memory/4972-13-0x0000000001410000-0x0000000001440000-memory.dmp

Filesize
192KB

Download
memory/4972-0-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/4972-4-0x0000000005B90000-0x0000000006134000-memory.dmp

Filesize
5.6MB

Download
memory/4972-3-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/4972-20-0x0000000075020000-0x00000000757D0000-memory.dmp

Filesize
7.7MB

Download
memory/4972-2-0x00000000053E0000-0x000000000547C000-memory.dmp

Filesize
624KB

Download
memory/4972-1-0x00000000008B0000-0x00000000009C4000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads