agenttesla | 95c96f2d35f40ff0f47dc61ebea3ffee5e28aef7e899ea6624afc3e8321d6cbf

General

Target

required and measured value.exe
Size

1008KB
MD5

3521aff033bea60a6e8869378b9d068c
SHA1

9d84d60857b499e6c6c13d684e67f11f6d8ca31a
SHA256

502d7ec69173cc68e242caf59956a90e519dad247b118c60394be96c9474f2d3
SHA512

98f3c653b2a763ffa72aa0873f760e06221428066a2f8dc9fcf4c5ecc620684acbf572518057b6c9eac952587d14f033bc9648531cfb0e97f68be86588310e8b
SSDEEP

24576:Bqas+pJyCkF0ODvYHkAduLZgBGROSYOmT7Lmte9:wyJyCkF9VAd4ZgBG4SYOy7

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
Kene123456789
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

required and measured value.exe

description pid process target process

PID 2344 set thread context of 2860 2344 required and measured value.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2660 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2928 powershell.exe
2684 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2928 powershell.exe
Token: SeDebugPrivilege 2684 powershell.exe

description	pid	process	target process
PID 2344 set thread context of 2860	2344	required and measured value.exe	RegSvcs.exe

pid	process
2660	schtasks.exe

pid	process
2928	powershell.exe
2684	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

required and measured value.exe

description	pid	process	target process
PID 2344 wrote to memory of 2684	2344	required and measured value.exe	powershell.exe
PID 2344 wrote to memory of 2684	2344	required and measured value.exe	powershell.exe
PID 2344 wrote to memory of 2684	2344	required and measured value.exe	powershell.exe
PID 2344 wrote to memory of 2684	2344	required and measured value.exe	powershell.exe
PID 2344 wrote to memory of 2928	2344	required and measured value.exe	powershell.exe
PID 2344 wrote to memory of 2928	2344	required and measured value.exe	powershell.exe
PID 2344 wrote to memory of 2928	2344	required and measured value.exe	powershell.exe
PID 2344 wrote to memory of 2928	2344	required and measured value.exe	powershell.exe
PID 2344 wrote to memory of 2660	2344	required and measured value.exe	schtasks.exe
PID 2344 wrote to memory of 2660	2344	required and measured value.exe	schtasks.exe
PID 2344 wrote to memory of 2660	2344	required and measured value.exe	schtasks.exe
PID 2344 wrote to memory of 2660	2344	required and measured value.exe	schtasks.exe
PID 2344 wrote to memory of 2860	2344	required and measured value.exe	RegSvcs.exe
PID 2344 wrote to memory of 2860	2344	required and measured value.exe	RegSvcs.exe
PID 2344 wrote to memory of 2860	2344	required and measured value.exe	RegSvcs.exe
PID 2344 wrote to memory of 2860	2344	required and measured value.exe	RegSvcs.exe
PID 2344 wrote to memory of 2860	2344	required and measured value.exe	RegSvcs.exe
PID 2344 wrote to memory of 2860	2344	required and measured value.exe	RegSvcs.exe
PID 2344 wrote to memory of 2860	2344	required and measured value.exe	RegSvcs.exe
PID 2344 wrote to memory of 2860	2344	required and measured value.exe	RegSvcs.exe
PID 2344 wrote to memory of 2860	2344	required and measured value.exe	RegSvcs.exe
PID 2344 wrote to memory of 2860	2344	required and measured value.exe	RegSvcs.exe
PID 2344 wrote to memory of 2860	2344	required and measured value.exe	RegSvcs.exe
PID 2344 wrote to memory of 2860	2344	required and measured value.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\required and measured value.exe
"C:\Users\Admin\AppData\Local\Temp\required and measured value.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\required and measured value.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kVDWrSDRqNaAK.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kVDWrSDRqNaAK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64AC.tmp"
2⤵
- Creates scheduled task(s)
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp64AC.tmp

Filesize
1KB

MD5
b73f09b1e1a85195162d0285f2a275e3

SHA1
e21edc442322df9e4fe3c1508d9d5163aba62eb5

SHA256
8576b1b4abd35e41234bf54214b86fb70816e2d2a593d10062bcdecf5897ba7a

SHA512
afd66b39602a36941d1aaeccd879539b6fa124a8e00bcf9d3c6da0bfa09bac7fd4dafa8820b353609abf6f5507279d8c53b9bdfc3ee2dacb4441ee46b8661dcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WDWX3Q4UHNY4TB1V8C4E.temp

Filesize
7KB

MD5
bea459dcc7cdbf38bf92ded2aa7a5ec4

SHA1
372f3b26fb01199ee9f0935655c7176bd133a9b7

SHA256
03a21ca04af2c18450731544413dd1eb7ddd3c3217e5353d9ec138a350814f76

SHA512
5778aacc14466d885ed1f6e023f627c392601dca86a80c04a6e2255c0fb37c335f236cd0fadbe7907830893ffb9777cf840349920990085638bbc2a9df29dbdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bea459dcc7cdbf38bf92ded2aa7a5ec4

SHA1
372f3b26fb01199ee9f0935655c7176bd133a9b7

SHA256
03a21ca04af2c18450731544413dd1eb7ddd3c3217e5353d9ec138a350814f76

SHA512
5778aacc14466d885ed1f6e023f627c392601dca86a80c04a6e2255c0fb37c335f236cd0fadbe7907830893ffb9777cf840349920990085638bbc2a9df29dbdc

Download Submit
memory/2344-4-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2344-1-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2344-5-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/2344-6-0x0000000005030000-0x00000000050AC000-memory.dmp

Filesize
496KB

Download
memory/2344-7-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2344-3-0x0000000000600000-0x0000000000618000-memory.dmp

Filesize
96KB

Download
memory/2344-2-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2344-38-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2344-20-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2344-0-0x0000000000F50000-0x0000000001052000-memory.dmp

Filesize
1.0MB

Download
memory/2684-40-0x000000006F6F0000-0x000000006FC9B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-21-0x000000006F6F0000-0x000000006FC9B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-24-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/2684-30-0x000000006F6F0000-0x000000006FC9B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-31-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/2860-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2860-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2860-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2860-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2860-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2860-35-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2860-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2928-33-0x0000000002960000-0x00000000029A0000-memory.dmp

Filesize
256KB

Download
memory/2928-27-0x000000006F6F0000-0x000000006FC9B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-22-0x000000006F6F0000-0x000000006FC9B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-41-0x000000006F6F0000-0x000000006FC9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads