agenttesla | 2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057

General

Target

2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
Size

819KB
MD5

f29554262c858e2e6fd1d828bbade0bc
SHA1

7cda09a6c742000f5868888a321216b1d3a72d00
SHA256

2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057
SHA512

acbfa0c8e8d94cba1994cb23aed0fe0de6f8dc3ec9d2503f957af5990f5d8a923e6a42f9d2b8687540d711bf32d50ef2200a70d75883a67c4d894ddb0475bf2e
SSDEEP

24576:4k34/up+pJHkSJPvrxZ3IPtrQGUOfM0eh0Q:h38PJHkSpj4lrHf1Q

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
ajgpjhnhhyeoaeoa
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe

description	pid	process	target process
PID 2168 set thread context of 2640	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2604 schtasks.exe

pid	process
2604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exepowershell.exepowershell.exe

pid	process
2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
2548	powershell.exe
2224	powershell.exe
2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe

description	pid	process	target process
PID 2168 wrote to memory of 2224	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	powershell.exe
PID 2168 wrote to memory of 2224	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	powershell.exe
PID 2168 wrote to memory of 2224	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	powershell.exe
PID 2168 wrote to memory of 2224	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	powershell.exe
PID 2168 wrote to memory of 2548	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	powershell.exe
PID 2168 wrote to memory of 2548	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	powershell.exe
PID 2168 wrote to memory of 2548	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	powershell.exe
PID 2168 wrote to memory of 2548	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	powershell.exe
PID 2168 wrote to memory of 2604	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	schtasks.exe
PID 2168 wrote to memory of 2604	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	schtasks.exe
PID 2168 wrote to memory of 2604	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	schtasks.exe
PID 2168 wrote to memory of 2604	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	schtasks.exe
PID 2168 wrote to memory of 2640	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
PID 2168 wrote to memory of 2640	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
PID 2168 wrote to memory of 2640	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
PID 2168 wrote to memory of 2640	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
PID 2168 wrote to memory of 2640	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
PID 2168 wrote to memory of 2640	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
PID 2168 wrote to memory of 2640	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
PID 2168 wrote to memory of 2640	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
PID 2168 wrote to memory of 2640	2168	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe	2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe

C:\Users\Admin\AppData\Local\Temp\2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
"C:\Users\Admin\AppData\Local\Temp\2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KGEKGiThiZ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KGEKGiThiZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp453A.tmp"
2⤵
- Creates scheduled task(s)
PID:2604

C:\Users\Admin\AppData\Local\Temp\2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe
"C:\Users\Admin\AppData\Local\Temp\2675bc14c6d17556370948b7a66efa835a8d8362828057e6a3570dbcc5c6d057.exe"
2⤵
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp453A.tmp

Filesize
1KB

MD5
2df1f5851ce893cd4d7fe35203d79c9e

SHA1
513151e9aff30038e335c0a34bb8957969f8b434

SHA256
00142b10fca97e7ccc77bb3eba35f14fda60d5849de3c459db38c55ecf8a427a

SHA512
930cc67f691cacd556348c9bacdcaab21a0106450ee5af59d41726db83b48dab7e5b4fc5ee1e2e8743cb2b346456e715f63901fc64f2e3a4883b07ade048e7c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DC6RZGWGZDXFYMYSSEFX.temp

Filesize
7KB

MD5
15b03df9e29ae6f7ac3da6210630401c

SHA1
f28fb2a8700bfa14fa2a28b1956546256967df81

SHA256
2c7b7b837120d506dc30c7654762a984ad32cb7d6f3f05f7b83a7e20b14507bc

SHA512
bfaf57120504b76bbffbe602e5b2bcaa7f02dfb6b82fe1932246e0a57593f3ccb4e956b67294650d0ffe0ceb41acdc52494432305f11d8ff8c32e3e5058ed7f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
15b03df9e29ae6f7ac3da6210630401c

SHA1
f28fb2a8700bfa14fa2a28b1956546256967df81

SHA256
2c7b7b837120d506dc30c7654762a984ad32cb7d6f3f05f7b83a7e20b14507bc

SHA512
bfaf57120504b76bbffbe602e5b2bcaa7f02dfb6b82fe1932246e0a57593f3ccb4e956b67294650d0ffe0ceb41acdc52494432305f11d8ff8c32e3e5058ed7f2

Download Submit
memory/2168-0-0x0000000000D20000-0x0000000000DF2000-memory.dmp

Filesize
840KB

Download
memory/2168-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2168-2-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/2168-3-0x0000000000680000-0x0000000000698000-memory.dmp

Filesize
96KB

Download
memory/2168-4-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/2168-5-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/2168-6-0x0000000005240000-0x00000000052BC000-memory.dmp

Filesize
496KB

Download
memory/2168-40-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2168-35-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-27-0x000000006F1E0000-0x000000006F78B000-memory.dmp

Filesize
5.7MB

Download
memory/2224-36-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/2224-23-0x000000006F1E0000-0x000000006F78B000-memory.dmp

Filesize
5.7MB

Download
memory/2224-42-0x000000006F1E0000-0x000000006F78B000-memory.dmp

Filesize
5.7MB

Download
memory/2224-30-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/2548-21-0x000000006F1E0000-0x000000006F78B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-32-0x0000000002A50000-0x0000000002A90000-memory.dmp

Filesize
256KB

Download
memory/2548-25-0x0000000002A50000-0x0000000002A90000-memory.dmp

Filesize
256KB

Download
memory/2548-41-0x000000006F1E0000-0x000000006F78B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-29-0x000000006F1E0000-0x000000006F78B000-memory.dmp

Filesize
5.7MB

Download
memory/2640-38-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads