agenttesla | 4c3edbfef1d80c6430055e9f28ea5f13bc7805e8919a4d8ad1c10108e4b09b59

General

Target

PO. No. 5500371145.exe
Size

678KB
MD5

7f4f6e3789449c78b61f26d679cf5a2f
SHA1

377ca37dcf869dbc2c6207a4dd383f85b9f6b65d
SHA256

5ff36a084b23be3de1baeb6953f2d0488d8f1ea257d1b83d64ad8fb64bc8dc39
SHA512

b9c614984dd6ff1ef21874b8fde9eaedb14d9afe59e4c3c3525eff8212d4f7424366f5c5e95dc004fd9cf7e6bac29e8117b13174ba9ad6e3e9740612c08f4f47
SSDEEP

12288:GCB0JiIeS0K36xgYG86Ox2nzNwqIH2kGX3DwxV7ccqidnuB/LhYcvwfqIrs9:l0Jis36aYv6Ox2xkGaxqFmcxa

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.scorpionlogistics.qa
Port:
587
Username:
[email protected]
Password:
M30009637
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PO. No. 5500371145.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\FdnCz = "C:\\Users\\Admin\\AppData\\Roaming\\FdnCz\\FdnCz.exe"	PO. No. 5500371145.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO. No. 5500371145.exe

description pid process target process

PID 2580 set thread context of 772 2580 PO. No. 5500371145.exe PO. No. 5500371145.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2584 schtasks.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 2580 set thread context of 772	2580	PO. No. 5500371145.exe	PO. No. 5500371145.exe

pid	process
2584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

PO. No. 5500371145.exePO. No. 5500371145.exepowershell.exepowershell.exe

pid	process
2580	PO. No. 5500371145.exe
2580	PO. No. 5500371145.exe
2580	PO. No. 5500371145.exe
2580	PO. No. 5500371145.exe
2580	PO. No. 5500371145.exe
2580	PO. No. 5500371145.exe
772	PO. No. 5500371145.exe
772	PO. No. 5500371145.exe
2756	powershell.exe
2820	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PO. No. 5500371145.exePO. No. 5500371145.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2580	PO. No. 5500371145.exe
Token: SeDebugPrivilege	772	PO. No. 5500371145.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PO. No. 5500371145.exe

pid process

772 PO. No. 5500371145.exe

pid	process
772	PO. No. 5500371145.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

PO. No. 5500371145.exe

description	pid	process	target process
PID 2580 wrote to memory of 2756	2580	PO. No. 5500371145.exe	powershell.exe
PID 2580 wrote to memory of 2756	2580	PO. No. 5500371145.exe	powershell.exe
PID 2580 wrote to memory of 2756	2580	PO. No. 5500371145.exe	powershell.exe
PID 2580 wrote to memory of 2756	2580	PO. No. 5500371145.exe	powershell.exe
PID 2580 wrote to memory of 2820	2580	PO. No. 5500371145.exe	powershell.exe
PID 2580 wrote to memory of 2820	2580	PO. No. 5500371145.exe	powershell.exe
PID 2580 wrote to memory of 2820	2580	PO. No. 5500371145.exe	powershell.exe
PID 2580 wrote to memory of 2820	2580	PO. No. 5500371145.exe	powershell.exe
PID 2580 wrote to memory of 2584	2580	PO. No. 5500371145.exe	schtasks.exe
PID 2580 wrote to memory of 2584	2580	PO. No. 5500371145.exe	schtasks.exe
PID 2580 wrote to memory of 2584	2580	PO. No. 5500371145.exe	schtasks.exe
PID 2580 wrote to memory of 2584	2580	PO. No. 5500371145.exe	schtasks.exe
PID 2580 wrote to memory of 696	2580	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2580 wrote to memory of 696	2580	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2580 wrote to memory of 696	2580	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2580 wrote to memory of 696	2580	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2580 wrote to memory of 772	2580	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2580 wrote to memory of 772	2580	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2580 wrote to memory of 772	2580	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2580 wrote to memory of 772	2580	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2580 wrote to memory of 772	2580	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2580 wrote to memory of 772	2580	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2580 wrote to memory of 772	2580	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2580 wrote to memory of 772	2580	PO. No. 5500371145.exe	PO. No. 5500371145.exe
PID 2580 wrote to memory of 772	2580	PO. No. 5500371145.exe	PO. No. 5500371145.exe

C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe
"C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mKYYhRtPkmXrC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKYYhRtPkmXrC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB90.tmp"
2⤵
- Creates scheduled task(s)
PID:2584

C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe
"C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"
2⤵
PID:696

C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe
"C:\Users\Admin\AppData\Local\Temp\PO. No. 5500371145.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDB90.tmp

Filesize
1KB

MD5
6c9b33ac77657bb5872b2b119363934c

SHA1
75cba89ba62faef173b9b0f7d043aaaf8877dad8

SHA256
e71767bf9ce0fe8f60beb2b04aa95dae4b54cf716c66d6c84dab51921600a002

SHA512
dba5d6889658ebc6c989cdb451632e70fb55e76f77e4cb30c2249eb4bfec7ddc52b6cd6bae0f5f08c93390d55dddac0190f71ea9af39cabd6eb48ca00a4200e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SA7HLTGJG1UBB0OTRFSS.temp

Filesize
7KB

MD5
6b31f0680b6d27f3e34f38b3e60e66b5

SHA1
236bb0fccd5474342962268c71847deacdf23591

SHA256
dd5dbb2eecc9ab5bd179764d3e3b989ed3308c9b59ed52a11de0bf15b94a19e2

SHA512
defdd55b79cbb65e407bd87db8f3bd7f914e401ff53c176a4cb87057f314786a1dfd6e9881498eafc6b319bad554efa92150049b1d3b3e52c4742b7136d5e772

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6b31f0680b6d27f3e34f38b3e60e66b5

SHA1
236bb0fccd5474342962268c71847deacdf23591

SHA256
dd5dbb2eecc9ab5bd179764d3e3b989ed3308c9b59ed52a11de0bf15b94a19e2

SHA512
defdd55b79cbb65e407bd87db8f3bd7f914e401ff53c176a4cb87057f314786a1dfd6e9881498eafc6b319bad554efa92150049b1d3b3e52c4742b7136d5e772

Download Submit
memory/772-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/772-47-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/772-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/772-46-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/772-41-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/772-39-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/772-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/772-38-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/772-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/772-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/772-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/772-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2580-5-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/2580-3-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/2580-27-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/2580-4-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/2580-23-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2580-6-0x00000000053F0000-0x000000000546C000-memory.dmp

Filesize
496KB

Download
memory/2580-0-0x0000000000D30000-0x0000000000DE0000-memory.dmp

Filesize
704KB

Download
memory/2580-40-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2580-2-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/2580-1-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2756-20-0x000000006ECC0000-0x000000006F26B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-42-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/2756-43-0x000000006ECC0000-0x000000006F26B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-24-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/2820-19-0x000000006ECC0000-0x000000006F26B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-21-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2820-44-0x000000006ECC0000-0x000000006F26B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-22-0x000000006ECC0000-0x000000006F26B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads