agenttesla | 9cadda8241bb7393ed10e4e3e58b0cafddb31b01334afe38ebb3f94e73190c2c

General

Target

New Order.exe
Size

640KB
MD5

bca932f9df0a984231fd9855747b4dfb
SHA1

fa0b4ce1a7e659e397566da2325229a5203953fd
SHA256

9cadda8241bb7393ed10e4e3e58b0cafddb31b01334afe38ebb3f94e73190c2c
SHA512

7b989799f329b5c779792cdd6197b8a64c379b1d6c79afc68d70666026b68ede9e91f374dde0c7e33c418072f5bb4035268768ad5c1b50e4c6157a7c4d6f68c5
SSDEEP

12288:3uPm4WVKFOVclXp0pd/EUC/fzbxha6MOnvVYQazzq4Cp158SA:im1VKX50X/EUa7apYdEzVSYS

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
zqamcx.com
Port:
587
Username:
[email protected]
Password:
Anambraeast@2023
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

New Order.exe

description pid process target process

PID 2568 set thread context of 2416 2568 New Order.exe New Order.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2880 schtasks.exe

description	pid	process	target process
PID 2568 set thread context of 2416	2568	New Order.exe	New Order.exe

pid	process
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

New Order.exeNew Order.exepowershell.exepowershell.exe

pid	process
2568	New Order.exe
2568	New Order.exe
2568	New Order.exe
2568	New Order.exe
2568	New Order.exe
2568	New Order.exe
2568	New Order.exe
2568	New Order.exe
2568	New Order.exe
2568	New Order.exe
2568	New Order.exe
2568	New Order.exe
2416	New Order.exe
2416	New Order.exe
2648	powershell.exe
2756	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

New Order.exeNew Order.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2568	New Order.exe
Token: SeDebugPrivilege	2416	New Order.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

New Order.exe

pid process

2416 New Order.exe

pid	process
2416	New Order.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

New Order.exe

description	pid	process	target process
PID 2568 wrote to memory of 2756	2568	New Order.exe	powershell.exe
PID 2568 wrote to memory of 2756	2568	New Order.exe	powershell.exe
PID 2568 wrote to memory of 2756	2568	New Order.exe	powershell.exe
PID 2568 wrote to memory of 2756	2568	New Order.exe	powershell.exe
PID 2568 wrote to memory of 2648	2568	New Order.exe	powershell.exe
PID 2568 wrote to memory of 2648	2568	New Order.exe	powershell.exe
PID 2568 wrote to memory of 2648	2568	New Order.exe	powershell.exe
PID 2568 wrote to memory of 2648	2568	New Order.exe	powershell.exe
PID 2568 wrote to memory of 2880	2568	New Order.exe	schtasks.exe
PID 2568 wrote to memory of 2880	2568	New Order.exe	schtasks.exe
PID 2568 wrote to memory of 2880	2568	New Order.exe	schtasks.exe
PID 2568 wrote to memory of 2880	2568	New Order.exe	schtasks.exe
PID 2568 wrote to memory of 2416	2568	New Order.exe	New Order.exe
PID 2568 wrote to memory of 2416	2568	New Order.exe	New Order.exe
PID 2568 wrote to memory of 2416	2568	New Order.exe	New Order.exe
PID 2568 wrote to memory of 2416	2568	New Order.exe	New Order.exe
PID 2568 wrote to memory of 2416	2568	New Order.exe	New Order.exe
PID 2568 wrote to memory of 2416	2568	New Order.exe	New Order.exe
PID 2568 wrote to memory of 2416	2568	New Order.exe	New Order.exe
PID 2568 wrote to memory of 2416	2568	New Order.exe	New Order.exe
PID 2568 wrote to memory of 2416	2568	New Order.exe	New Order.exe

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jXjQOf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jXjQOf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE753.tmp"
2⤵
- Creates scheduled task(s)
PID:2880

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE753.tmp

Filesize
1KB

MD5
11648fb29bf2486cab7034fc89227106

SHA1
f3e6b6d090b02e72d575095c1808b172467caa35

SHA256
55ab41941d25d886bf5a7d7344691a8657b0c1f22f554fb535de917321d6d168

SHA512
c3c5e3c83dd70fa2b11b12d2f7bfe6416356ec0cf10f68e2d6759f4fbc3c9287e0f1eae987333d5bce642b572b281c12bfc333fac63272b96d5886091360d8b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QE5BIBE1AUBLHQWSOJAO.temp

Filesize
7KB

MD5
65743e8a6916478b93c8ccfe3c64fd24

SHA1
93da50728d2c46449bd372b8796da89657488116

SHA256
c46915cc256b243e418f7af0793f24287e90e5453d7104c0207aff5881075268

SHA512
786fd82cce70c1406b173d83ddacb21c47b1808a8149f23fe751f49c971318f953f09deb6f1d7c03d5fe50fc2adf4161211278056a2a214eb8324ecc3e963e11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
65743e8a6916478b93c8ccfe3c64fd24

SHA1
93da50728d2c46449bd372b8796da89657488116

SHA256
c46915cc256b243e418f7af0793f24287e90e5453d7104c0207aff5881075268

SHA512
786fd82cce70c1406b173d83ddacb21c47b1808a8149f23fe751f49c971318f953f09deb6f1d7c03d5fe50fc2adf4161211278056a2a214eb8324ecc3e963e11

Download Submit
memory/2416-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-42-0x0000000073710000-0x0000000073DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2416-47-0x0000000000610000-0x0000000000650000-memory.dmp

Filesize
256KB

Download
memory/2416-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-48-0x0000000073710000-0x0000000073DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2416-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2416-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-40-0x0000000000610000-0x0000000000650000-memory.dmp

Filesize
256KB

Download
memory/2568-1-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2568-0-0x0000000000E60000-0x0000000000F06000-memory.dmp

Filesize
664KB

Download
memory/2568-3-0x00000000004C0000-0x00000000004D6000-memory.dmp

Filesize
88KB

Download
memory/2568-4-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/2568-2-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2568-7-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2568-6-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2568-32-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2568-5-0x0000000005270000-0x00000000052EC000-memory.dmp

Filesize
496KB

Download
memory/2648-46-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-38-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-41-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2648-43-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2648-36-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2648-34-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-39-0x0000000002360000-0x00000000023A0000-memory.dmp

Filesize
256KB

Download
memory/2756-37-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-44-0x0000000002360000-0x00000000023A0000-memory.dmp

Filesize
256KB

Download
memory/2756-45-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-35-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads