agenttesla | 4c3edbfef1d80c6430055e9f28ea5f13bc7805e8919a4d8ad1c10108e4b09b59

General

Target

PO. No. 5500371145.exe
Size

678KB
MD5

7f4f6e3789449c78b61f26d679cf5a2f
SHA1

377ca37dcf869dbc2c6207a4dd383f85b9f6b65d
SHA256

5ff36a084b23be3de1baeb6953f2d0488d8f1ea257d1b83d64ad8fb64bc8dc39
SHA512

b9c614984dd6ff1ef21874b8fde9eaedb14d9afe59e4c3c3525eff8212d4f7424366f5c5e95dc004fd9cf7e6bac29e8117b13174ba9ad6e3e9740612c08f4f47
SSDEEP

12288:GCB0JiIeS0K36xgYG86Ox2nzNwqIH2kGX3DwxV7ccqidnuB/LhYcvwfqIrs9:l0Jis36aYv6Ox2xkGaxqFmcxa

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.scorpionlogistics.qa
Port:
587
Username:
[email protected]
Password:
M30009637
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PO. No. 5500371145.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\FdnCz = "C:\\Users\\Admin\\AppData\\Roaming\\FdnCz\\FdnCz.exe"	PO. No. 5500371145.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO. No. 5500371145.exe

description pid process target process

PID 2552 set thread context of 2944 2552 PO. No. 5500371145.exe PO. No. 5500371145.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2992 schtasks.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 2552 set thread context of 2944	2552	PO. No. 5500371145.exe	PO. No. 5500371145.exe

pid	process
2992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

PO. No. 5500371145.exePO. No. 5500371145.exepowershell.exepowershell.exe

pid	process
2552	PO. No. 5500371145.exe
2552	PO. No. 5500371145.exe
2944	PO. No. 5500371145.exe
2944	PO. No. 5500371145.exe
2792	powershell.exe
2208	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PO. No. 5500371145.exePO. No. 5500371145.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2552	PO. No. 5500371145.exe
Token: SeDebugPrivilege	2944	PO. No. 5500371145.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PO. No. 5500371145.exe

pid process

2944 PO. No. 5500371145.exe

pid	process
2944	PO. No. 5500371145.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

PO. No. 5500371145.exe

description	pid	process	target process
PID 2552 wrote to memory of 2208	2552	PO. No. 5500371145.exe	powershell.exe
PID 2552 wrote to memory of 2208	2552	PO. No. 5500371145.exe	powershell.exe
PID 2552 wrote to memory of 2208	2552	PO. No. 5500371145.exe	powershell.exe
PID 2552 wrote to memory of 2208	2552	PO. No. 5500371145.exe	powershell.exe
PID 2552 wrote to memory of 2792	2552	PO. No. 5500371145.exe	powershell.exe
PID 2552 wrote to memory of 2792	2552	PO. No. 5500371145.exe	powershell.exe
PID 2552 wrote to memory of 2792	2552	PO. No. 5500371145.exe	powershell.exe
PID 2552 wrote to memory of 2792	2552	PO. No. 5500371145.exe	powershell.exe
PID 2552 wrote to memory of 2992	2552	PO. No. 5500371145.exe	schtasks.exe
PID 2552 wrote to memory of 2992	2552	PO. No. 5500371145.exe	schtasks.exe
PID 2552 wrote to memory of 2992	2552	PO. No. 5500371145.exe	schtasks.exe
PID 2552 wrote to memory of 2992	2552	PO. No. 5500371145.exe	schtasks.exe
PID 2552 wrote to memory of 2944	2552	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2552 wrote to memory of 2944	2552	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2552 wrote to memory of 2944	2552	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2552 wrote to memory of 2944	2552	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2552 wrote to memory of 2944	2552	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2552 wrote to memory of 2944	2552	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2552 wrote to memory of 2944	2552	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2552 wrote to memory of 2944	2552	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2552 wrote to memory of 2944	2552	PO. No. 5500371145.exe	PO. No. 5500371145.exe

C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe
"C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mKYYhRtPkmXrC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKYYhRtPkmXrC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB7BB.tmp"
2⤵
- Creates scheduled task(s)
PID:2992

C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe
"C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB7BB.tmp

Filesize
1KB

MD5
28743d2bac6a1fa0132a48c7a214a87e

SHA1
e84bfca375933c587e5c1c4102059c5637052f79

SHA256
ae0d485be0909951f94e7974317adfb923367bc5cb95cb1a9c446517b85bf21f

SHA512
0c94add38d2db66ee39153f4c5598bdf34dd33835df7ae05e254759ee8c21d3a365d42845d46b6c26c71d424ca79771d3d282d7336bb6bda005548538d582280

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TVWATAJK5ZSJPTMW4F6D.temp

Filesize
7KB

MD5
639b2f4b86fe07581c4caa91c1cf0bb2

SHA1
3416eddb0c8cbafae2130cb860f486bde635360d

SHA256
bcd155b897044689ee8493f7e6b55410b5c52b83eeb805751b5c5a3c3c8260da

SHA512
b6286388c3ccb5f200c708ea8460c9695d6f3a180c2e1d498adb9df2316b47a7ffe23415db787d05b159dfd8af40c627879c85249141ceae80597a926da40fc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
639b2f4b86fe07581c4caa91c1cf0bb2

SHA1
3416eddb0c8cbafae2130cb860f486bde635360d

SHA256
bcd155b897044689ee8493f7e6b55410b5c52b83eeb805751b5c5a3c3c8260da

SHA512
b6286388c3ccb5f200c708ea8460c9695d6f3a180c2e1d498adb9df2316b47a7ffe23415db787d05b159dfd8af40c627879c85249141ceae80597a926da40fc8

Download Submit
memory/2208-32-0x000000006E760000-0x000000006ED0B000-memory.dmp

Filesize
5.7MB

Download
memory/2208-33-0x0000000002440000-0x0000000002480000-memory.dmp

Filesize
256KB

Download
memory/2208-37-0x0000000002440000-0x0000000002480000-memory.dmp

Filesize
256KB

Download
memory/2208-34-0x000000006E760000-0x000000006ED0B000-memory.dmp

Filesize
5.7MB

Download
memory/2208-41-0x000000006E760000-0x000000006ED0B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-4-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2552-6-0x0000000005070000-0x00000000050EC000-memory.dmp

Filesize
496KB

Download
memory/2552-5-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/2552-30-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-0-0x0000000000B00000-0x0000000000BB0000-memory.dmp

Filesize
704KB

Download
memory/2552-3-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/2552-2-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/2552-1-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-38-0x0000000001D00000-0x0000000001D40000-memory.dmp

Filesize
256KB

Download
memory/2792-35-0x0000000001D00000-0x0000000001D40000-memory.dmp

Filesize
256KB

Download
memory/2792-42-0x000000006E760000-0x000000006ED0B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-31-0x000000006E760000-0x000000006ED0B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-40-0x000000006E760000-0x000000006ED0B000-memory.dmp

Filesize
5.7MB

Download
memory/2944-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2944-36-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/2944-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-39-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/2944-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-44-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/2944-45-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads