agenttesla | 3239f36044eff21de6675f1efe4df404dc2a46387637fc434c49f3754d2cf37f

General

Target

MT103.exe
Size

663KB
MD5

720a42feb540dc11b7048246932c0bff
SHA1

962e757e1a74e3a5030106832e62ebc459a3557d
SHA256

d61e3784b7daf6605b40092e7eefa5844f36dfdc2235d90bf8a2ed164da875ad
SHA512

af718f45f16a027e7c2ee39890db541200e67327fc00a2ea9581385c729cbb73dcc033fc1c6de28716ce89d071040b17baed600b5b8615068fce3204a73ccd5f
SSDEEP

12288:i0WWObWAZ1Tut1OJI+yByzqyANhML9MpSsVl:14LTTuLBovANSLeUol

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.adityagroup.co
Port:
587
Username:
[email protected]
Password:
Aditya!@#$%^
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2736	powershell.exe
2008	powershell.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe
2944	MT103.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	MT103.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2736	2944	MT103.exe	30
PID 2944 wrote to memory of 2736	2944	MT103.exe	30
PID 2944 wrote to memory of 2736	2944	MT103.exe	30
PID 2944 wrote to memory of 2736	2944	MT103.exe	30
PID 2944 wrote to memory of 2008	2944	MT103.exe	32
PID 2944 wrote to memory of 2008	2944	MT103.exe	32
PID 2944 wrote to memory of 2008	2944	MT103.exe	32
PID 2944 wrote to memory of 2008	2944	MT103.exe	32
PID 2944 wrote to memory of 2996	2944	MT103.exe	35
PID 2944 wrote to memory of 2996	2944	MT103.exe	35
PID 2944 wrote to memory of 2996	2944	MT103.exe	35
PID 2944 wrote to memory of 2996	2944	MT103.exe	35
PID 2944 wrote to memory of 2976	2944	MT103.exe	36
PID 2944 wrote to memory of 2976	2944	MT103.exe	36
PID 2944 wrote to memory of 2976	2944	MT103.exe	36
PID 2944 wrote to memory of 2976	2944	MT103.exe	36
PID 2944 wrote to memory of 2976	2944	MT103.exe	36
PID 2944 wrote to memory of 2976	2944	MT103.exe	36
PID 2944 wrote to memory of 2976	2944	MT103.exe	36
PID 2944 wrote to memory of 2976	2944	MT103.exe	36
PID 2944 wrote to memory of 2976	2944	MT103.exe	36
PID 2944 wrote to memory of 2976	2944	MT103.exe	36

C:\Users\Admin\AppData\Local\Temp\MT103.exe
"C:\Users\Admin\AppData\Local\Temp\MT103.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MT103.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XwYDnUei.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XwYDnUei" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8141.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8141.tmp

Filesize
1KB

MD5
8c03d16b70f547bc018821b449c74005

SHA1
964e13721757a15ae46630f008966cf232515e4b

SHA256
5009c58d072acc7550b7d329e9973f1318cc8e572eb35d12550e4ca3e5db5db3

SHA512
8aaacc9716dca057d83a8cbe7baae888d06e4924e1fbc4003c2d7c09e17303fc62331324a842a6641ed59c7502b79dc24c7e228a70e7be2282d8b0c09f0daceb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\248OWDB4WUJG5ZVO6BIC.temp

Filesize
7KB

MD5
29805a45bfcff0834a9cddcf15b3a7f4

SHA1
f8fb3880200bf0f8a419e967c511b9f48227c41a

SHA256
c292c373a504f48cd55e8ebe12771a68c5cab1af8f2317c8a2c705a5236a0a55

SHA512
4d3f8097c598f8bb24859a70f89573c7f43f5f915948cf10df36517c48ea546213cff7eed7c1cedb738f7cfa347b0acb018cfeb1acfd47a889b77d9503f0d06d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
29805a45bfcff0834a9cddcf15b3a7f4

SHA1
f8fb3880200bf0f8a419e967c511b9f48227c41a

SHA256
c292c373a504f48cd55e8ebe12771a68c5cab1af8f2317c8a2c705a5236a0a55

SHA512
4d3f8097c598f8bb24859a70f89573c7f43f5f915948cf10df36517c48ea546213cff7eed7c1cedb738f7cfa347b0acb018cfeb1acfd47a889b77d9503f0d06d

Download Submit
memory/2008-33-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/2008-30-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/2008-25-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-36-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-20-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-22-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/2736-34-0x0000000001DC0000-0x0000000001E00000-memory.dmp

Filesize
256KB

Download
memory/2736-31-0x0000000001DC0000-0x0000000001E00000-memory.dmp

Filesize
256KB

Download
memory/2736-27-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download
memory/2736-35-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download
memory/2736-21-0x0000000001DC0000-0x0000000001E00000-memory.dmp

Filesize
256KB

Download
memory/2736-23-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download
memory/2944-6-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/2944-7-0x0000000004B20000-0x0000000004B8A000-memory.dmp

Filesize
424KB

Download
memory/2944-0-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2944-5-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/2944-4-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2944-3-0x0000000000920000-0x0000000000934000-memory.dmp

Filesize
80KB

Download
memory/2944-2-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/2944-1-0x0000000000CA0000-0x0000000000D4A000-memory.dmp

Filesize
680KB

Download
memory/2976-28-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2976-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2976-32-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2976-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads