agenttesla | a4ed69b3f398c38bef69c796dd57f40b6d110fce97d84802b9a2e6b77d07c93f

General

Target

SOA.exe
Size

810KB
MD5

e1666e6dc5b74fede5b52d19b6ed5eb3
SHA1

4629695826687cf1aaedbd0de805ee672ca28b78
SHA256

a4ed69b3f398c38bef69c796dd57f40b6d110fce97d84802b9a2e6b77d07c93f
SHA512

32f34f4c373397eacb0f413d3c8121aa54cdaacde1c73adbd780d0d5cc3ed6c63c03a9639ccea98c5348010e08f11bbf8fe1f434f95663b6abccdc793a9899b8
SSDEEP

12288:X2cxVYgO6MavWMO6MavWmn+Au5SjIoya5EyCdoPIeSq8057HuJ5dx:X2cHO6MavWMO6MavWOlOvF6LR5zY5dx

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.wecaresvc.com
Port:
587
Username:
[email protected]
Password:
u9367gk8qc
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1804 set thread context of 2620	1804	SOA.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1804	SOA.exe
2620	SOA.exe
2620	SOA.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	SOA.exe
Token: SeDebugPrivilege	2620	SOA.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2748	1804	SOA.exe	30
PID 1804 wrote to memory of 2748	1804	SOA.exe	30
PID 1804 wrote to memory of 2748	1804	SOA.exe	30
PID 1804 wrote to memory of 2748	1804	SOA.exe	30
PID 1804 wrote to memory of 2620	1804	SOA.exe	32
PID 1804 wrote to memory of 2620	1804	SOA.exe	32
PID 1804 wrote to memory of 2620	1804	SOA.exe	32
PID 1804 wrote to memory of 2620	1804	SOA.exe	32
PID 1804 wrote to memory of 2620	1804	SOA.exe	32
PID 1804 wrote to memory of 2620	1804	SOA.exe	32
PID 1804 wrote to memory of 2620	1804	SOA.exe	32
PID 1804 wrote to memory of 2620	1804	SOA.exe	32
PID 1804 wrote to memory of 2620	1804	SOA.exe	32

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNVYvSgi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp642F.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\SOA.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp642F.tmp

Filesize
1KB

MD5
60f8025cd59e75af915f4299f3bd328f

SHA1
646fa863d8aaf0dda14fff442f0348f7221d0db5

SHA256
d935d31d031c63e40843ce6076cca9d050ba97709c28dcd537f1fbd4c7486430

SHA512
4badb6c56a5d589f9333c6007cb9d200fabcd86eabd4ae2d8cef881459bca886ffbb2367d638ad0a19a9c451f099b2b08cad3202e56e5d4ef67c057882edd0f0

Download Submit
memory/1804-0-0x0000000074A60000-0x000000007514E000-memory.dmp

Filesize
6.9MB

Download
memory/1804-1-0x00000000012B0000-0x0000000001380000-memory.dmp

Filesize
832KB

Download
memory/1804-2-0x0000000074A60000-0x000000007514E000-memory.dmp

Filesize
6.9MB

Download
memory/1804-3-0x0000000004820000-0x0000000004860000-memory.dmp

Filesize
256KB

Download
memory/1804-4-0x0000000004820000-0x0000000004860000-memory.dmp

Filesize
256KB

Download
memory/1804-5-0x0000000000510000-0x0000000000524000-memory.dmp

Filesize
80KB

Download
memory/1804-6-0x0000000004C10000-0x0000000004C88000-memory.dmp

Filesize
480KB

Download
memory/1804-7-0x0000000000930000-0x0000000000972000-memory.dmp

Filesize
264KB

Download
memory/1804-28-0x0000000074A60000-0x000000007514E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2620-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-26-0x0000000074A60000-0x000000007514E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-27-0x0000000000650000-0x0000000000690000-memory.dmp

Filesize
256KB

Download
memory/2620-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-29-0x0000000074A60000-0x000000007514E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-30-0x0000000000650000-0x0000000000690000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads