agenttesla | 75c88cf971ed8fc9ac73c54e831478cfae2b483c2c48a3bce48202665de1fb1b

General

Target

231730028-2023-Dec-04 pdf.exe
Size

477KB
MD5

38e85567ecbe691d6319179e8e42fab2
SHA1

72f8f419447da72e61518a7ecdf433a4b05aa458
SHA256

188b48895639573a36270e0693569d98f7a673c975478927559c3eadd6d83839
SHA512

78c77591b9e381d9b3bf962693ec00f0ae94cadee813837095d4fb1e16282a93791d03a4323a52e57870632d7e09227cba1baaeee164264fb174e64a5d7c5d75
SSDEEP

12288:xkNqHWr7yJzMij4kfciX/wtf7FPEvPDvmtj9yx:xUq+IIefziB8vKjQx

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

cpngrtzp.execpngrtzp.exe

pid process

2140 cpngrtzp.exe
2816 cpngrtzp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

cpngrtzp.exe

description pid process target process

PID 2140 set thread context of 2816 2140 cpngrtzp.exe cpngrtzp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cpngrtzp.exe

pid process

2816 cpngrtzp.exe
2816 cpngrtzp.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cpngrtzp.exe

pid process

2140 cpngrtzp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cpngrtzp.exe

description pid process

Token: SeDebugPrivilege 2816 cpngrtzp.exe

pid	process
2140	cpngrtzp.exe
2816	cpngrtzp.exe

description	pid	process	target process
PID 2140 set thread context of 2816	2140	cpngrtzp.exe	cpngrtzp.exe

pid	process
2816	cpngrtzp.exe
2816	cpngrtzp.exe

pid	process
2140	cpngrtzp.exe

description	pid	process
Token: SeDebugPrivilege	2816	cpngrtzp.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

231730028-2023-Dec-04 pdf.execpngrtzp.exe

description	pid	process	target process
PID 1916 wrote to memory of 2140	1916	231730028-2023-Dec-04 pdf.exe	cpngrtzp.exe
PID 1916 wrote to memory of 2140	1916	231730028-2023-Dec-04 pdf.exe	cpngrtzp.exe
PID 1916 wrote to memory of 2140	1916	231730028-2023-Dec-04 pdf.exe	cpngrtzp.exe
PID 2140 wrote to memory of 2816	2140	cpngrtzp.exe	cpngrtzp.exe
PID 2140 wrote to memory of 2816	2140	cpngrtzp.exe	cpngrtzp.exe
PID 2140 wrote to memory of 2816	2140	cpngrtzp.exe	cpngrtzp.exe
PID 2140 wrote to memory of 2816	2140	cpngrtzp.exe	cpngrtzp.exe

C:\Users\Admin\AppData\Local\Temp\231730028-2023-Dec-04 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\231730028-2023-Dec-04 pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe
"C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe
"C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bktgubujiw.t

Filesize
335KB

MD5
03a408bbf961a94b9448aad8fed24336

SHA1
df08dc867912e252d48d23d599e21a0c90f3d914

SHA256
3d1155039ceb52969ebb93595ee5d3e2899ef72d98619c86439edd7a91d7d248

SHA512
69d145792d23e45419e3070c73d410506aab6ebc091c1ab70320b92f10c1b2aca5795d70e8213458e990c4be3b3d50a98675b647a51e98c626c064bcb5944643

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe

Filesize
287KB

MD5
ccac95bbd8877f49efc523f125489bb1

SHA1
92ee3a54136bded5f1c17d25fdbb553caf2eb3aa

SHA256
2025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f

SHA512
bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe

Filesize
287KB

MD5
ccac95bbd8877f49efc523f125489bb1

SHA1
92ee3a54136bded5f1c17d25fdbb553caf2eb3aa

SHA256
2025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f

SHA512
bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe

Filesize
287KB

MD5
ccac95bbd8877f49efc523f125489bb1

SHA1
92ee3a54136bded5f1c17d25fdbb553caf2eb3aa

SHA256
2025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f

SHA512
bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f

Download Submit
memory/2140-6-0x00000000012C0000-0x00000000013C0000-memory.dmp

Filesize
1024KB

Download
memory/2816-16-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/2816-18-0x0000000005AB0000-0x0000000006054000-memory.dmp

Filesize
5.6MB

Download
memory/2816-10-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-15-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/2816-11-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-17-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/2816-14-0x0000000005350000-0x0000000005392000-memory.dmp

Filesize
264KB

Download
memory/2816-13-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/2816-12-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-19-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/2816-20-0x0000000006160000-0x00000000061B0000-memory.dmp

Filesize
320KB

Download
memory/2816-22-0x00000000061C0000-0x00000000061CA000-memory.dmp

Filesize
40KB

Download
memory/2816-21-0x0000000006250000-0x00000000062E2000-memory.dmp

Filesize
584KB

Download
memory/2816-23-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/2816-24-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/2816-26-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/2816-25-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing