agenttesla | 06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b

General

Target

06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe
Size

622KB
MD5

ee58f332b2d27a1bdd8b0de098e6165c
SHA1

d0e9ec92594ef432758e63ab31f7751872c3573c
SHA256

06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b
SHA512

b9c1c84fad01332771dcdb26c833705eac7e0ec5aed399414e4c4f93a241907279415d2e1dd3acfccd8a9f042918f598377e1138ed87995fa6a2d9b4b13b517f
SSDEEP

12288:IqfLYYZXTyX0Tp+fkI5/Gh/tDpWNIIe8frsBP3MKJBPeaHwxX:bXTD+fkjDp+IIeOI539JBPLQ

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6462317492:AAGRLAwoTiA42PAg_wJuGwDb61KKicShMe4/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe

description	pid	process	target process
PID 1240 set thread context of 2612	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2716 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exeRegSvcs.exe

pid process

2816 powershell.exe
2020 powershell.exe
2612 RegSvcs.exe
2612 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 2816 powershell.exe
Token: SeDebugPrivilege 2020 powershell.exe
Token: SeDebugPrivilege 2612 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

2612 RegSvcs.exe

pid	process
2716	schtasks.exe

pid	process
2816	powershell.exe
2020	powershell.exe
2612	RegSvcs.exe
2612	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2612	RegSvcs.exe

pid	process
2612	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe

description	pid	process	target process
PID 1240 wrote to memory of 2020	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	powershell.exe
PID 1240 wrote to memory of 2020	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	powershell.exe
PID 1240 wrote to memory of 2020	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	powershell.exe
PID 1240 wrote to memory of 2020	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	powershell.exe
PID 1240 wrote to memory of 2816	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	powershell.exe
PID 1240 wrote to memory of 2816	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	powershell.exe
PID 1240 wrote to memory of 2816	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	powershell.exe
PID 1240 wrote to memory of 2816	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	powershell.exe
PID 1240 wrote to memory of 2716	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	schtasks.exe
PID 1240 wrote to memory of 2716	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	schtasks.exe
PID 1240 wrote to memory of 2716	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	schtasks.exe
PID 1240 wrote to memory of 2716	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	schtasks.exe
PID 1240 wrote to memory of 2612	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	RegSvcs.exe
PID 1240 wrote to memory of 2612	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	RegSvcs.exe
PID 1240 wrote to memory of 2612	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	RegSvcs.exe
PID 1240 wrote to memory of 2612	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	RegSvcs.exe
PID 1240 wrote to memory of 2612	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	RegSvcs.exe
PID 1240 wrote to memory of 2612	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	RegSvcs.exe
PID 1240 wrote to memory of 2612	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	RegSvcs.exe
PID 1240 wrote to memory of 2612	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	RegSvcs.exe
PID 1240 wrote to memory of 2612	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	RegSvcs.exe
PID 1240 wrote to memory of 2612	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	RegSvcs.exe
PID 1240 wrote to memory of 2612	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	RegSvcs.exe
PID 1240 wrote to memory of 2612	1240	06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe
"C:\Users\Admin\AppData\Local\Temp\06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\06c8a5695959ee2655fb9a537cf855398a4c814000b20d3af61c93f16e21b69b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OwXxtNQRoml.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OwXxtNQRoml" /XML "C:\Users\Admin\AppData\Local\Temp\tmp536D.tmp"
2⤵
- Creates scheduled task(s)
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp536D.tmp

Filesize
1KB

MD5
29c8f3e0857295b2ac218e8e55571982

SHA1
a9ea36b881fa0360a79ca5585037be55662ba967

SHA256
d2f1775ba2c470d1c65fc10222b5a892e4d1fce6793c498a291610c862c414ba

SHA512
5c3563d82ceb19bb7b3c490f08db1c8ec9f3909171855005c8f079af755b1e9ce4ab9d2f2870c332d20a4b8b6a21bcbe4ebd2cdd0c48562ef3b19556f968dbc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8H6HMBZAU6OPZYWYKH4D.temp

Filesize
7KB

MD5
212d88c02dcd3ae3ef88d72434250079

SHA1
27be53fb307edb2b74bc65c00dc0c94260a2f0d4

SHA256
6ac8c14554776126a1a9239c5850d4f7057c40867c6a44d00c1e8e395b97bfba

SHA512
cdf273a4f285d37092d5bf44b549c39d737acba17cdb1c3b73b7b27a3862166668edcf08b38a2d63cd3a41216c0f6205734b37e6d5ad6bccc2c8913469d6ef78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
212d88c02dcd3ae3ef88d72434250079

SHA1
27be53fb307edb2b74bc65c00dc0c94260a2f0d4

SHA256
6ac8c14554776126a1a9239c5850d4f7057c40867c6a44d00c1e8e395b97bfba

SHA512
cdf273a4f285d37092d5bf44b549c39d737acba17cdb1c3b73b7b27a3862166668edcf08b38a2d63cd3a41216c0f6205734b37e6d5ad6bccc2c8913469d6ef78

Download Submit
memory/1240-4-0x00000000006E0000-0x00000000006E6000-memory.dmp

Filesize
24KB

Download
memory/1240-26-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/1240-5-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/1240-6-0x00000000005E0000-0x000000000065C000-memory.dmp

Filesize
496KB

Download
memory/1240-3-0x00000000006C0000-0x00000000006D8000-memory.dmp

Filesize
96KB

Download
memory/1240-2-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/1240-1-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/1240-39-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/1240-0-0x0000000000CD0000-0x0000000000D70000-memory.dmp

Filesize
640KB

Download
memory/2020-20-0x000000006FA50000-0x000000006FFFB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-31-0x00000000028D0000-0x0000000002910000-memory.dmp

Filesize
256KB

Download
memory/2020-41-0x000000006FA50000-0x000000006FFFB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-33-0x00000000028D0000-0x0000000002910000-memory.dmp

Filesize
256KB

Download
memory/2020-47-0x000000006FA50000-0x000000006FFFB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-37-0x00000000028D0000-0x0000000002910000-memory.dmp

Filesize
256KB

Download
memory/2612-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2612-43-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2612-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2612-48-0x00000000738D0000-0x0000000073FBE000-memory.dmp

Filesize
6.9MB

Download
memory/2612-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2612-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2612-45-0x00000000046A0000-0x00000000046E0000-memory.dmp

Filesize
256KB

Download
memory/2612-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2612-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2612-44-0x00000000738D0000-0x0000000073FBE000-memory.dmp

Filesize
6.9MB

Download
memory/2612-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2816-24-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/2816-22-0x000000006FA50000-0x000000006FFFB000-memory.dmp

Filesize
5.7MB

Download
memory/2816-29-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/2816-46-0x000000006FA50000-0x000000006FFFB000-memory.dmp

Filesize
5.7MB

Download
memory/2816-28-0x000000006FA50000-0x000000006FFFB000-memory.dmp

Filesize
5.7MB

Download
memory/2816-35-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads