agenttesla | e9499146a540aa410852d3ae7bb61d747e449f36c4209f3c9afe35ea1c7195c7

General

Target

LAM CHUAN Q710901.pdf.exe
Size

1024KB
MD5

8412a2cceb09519e18c3419df99efbad
SHA1

33fdcdd1ea11818c2928d80c52e786b0cca9e522
SHA256

7318815c5eed7085d6d336406e6c3255a23e255f5caa954b6b1b4549b7519701
SHA512

b81f90357485356ec5b678e19d41359db65e5b9f328a9d94d4d76fbecee5286cffbce4ce95c9dd7109044fe95b37abcfee6bae443930f22e5cc218808b849d8d
SSDEEP

24576:RBm634/up+pJtwFbGyArZTDOYDD/ckaCFUBkMIHpDqDDBi:RX38PJtw5Ag6D/6CFMkzpDH

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6439280362:AAFxJ6Gm_hfG3MYnjXvw0e4QQEIFTsOjkuk/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1964 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

LAM CHUAN Q710901.pdf.exe

pid process

1664 LAM CHUAN Q710901.pdf.exe
1664 LAM CHUAN Q710901.pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

LAM CHUAN Q710901.pdf.exe

description pid process

Token: SeDebugPrivilege 1664 LAM CHUAN Q710901.pdf.exe

flow	ioc
2	api.ipify.org

pid	process
1964	schtasks.exe

pid	process
1664	LAM CHUAN Q710901.pdf.exe
1664	LAM CHUAN Q710901.pdf.exe

description	pid	process
Token: SeDebugPrivilege	1664	LAM CHUAN Q710901.pdf.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

LAM CHUAN Q710901.pdf.exe

description	pid	process	target process
PID 1664 wrote to memory of 2728	1664	LAM CHUAN Q710901.pdf.exe	powershell.exe
PID 1664 wrote to memory of 2728	1664	LAM CHUAN Q710901.pdf.exe	powershell.exe
PID 1664 wrote to memory of 2728	1664	LAM CHUAN Q710901.pdf.exe	powershell.exe
PID 1664 wrote to memory of 2728	1664	LAM CHUAN Q710901.pdf.exe	powershell.exe
PID 1664 wrote to memory of 2668	1664	LAM CHUAN Q710901.pdf.exe	powershell.exe
PID 1664 wrote to memory of 2668	1664	LAM CHUAN Q710901.pdf.exe	powershell.exe
PID 1664 wrote to memory of 2668	1664	LAM CHUAN Q710901.pdf.exe	powershell.exe
PID 1664 wrote to memory of 2668	1664	LAM CHUAN Q710901.pdf.exe	powershell.exe
PID 1664 wrote to memory of 1964	1664	LAM CHUAN Q710901.pdf.exe	schtasks.exe
PID 1664 wrote to memory of 1964	1664	LAM CHUAN Q710901.pdf.exe	schtasks.exe
PID 1664 wrote to memory of 1964	1664	LAM CHUAN Q710901.pdf.exe	schtasks.exe
PID 1664 wrote to memory of 1964	1664	LAM CHUAN Q710901.pdf.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\LAM CHUAN Q710901.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\LAM CHUAN Q710901.pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\LAM CHUAN Q710901.pdf.exe"
2⤵
PID:2728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mhkwArwcw.exe"
2⤵
PID:2668

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mhkwArwcw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5476.tmp"
2⤵
- Creates scheduled task(s)
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5476.tmp

Filesize
1KB

MD5
ba5b117fa3ef2ac0c7af1b4aebb6335b

SHA1
d48e683c520d6af264ad4b35d1188fc5d20108ef

SHA256
a18f52c333a28398cfc77cb7acf43e7d4792beb0de5d6c639cb859a2d03b26c7

SHA512
5834ce0099b87d901250e004683b7bffeca72880087ac35bdca7cd8ddfee2940c6521cd192133e5cd1bd8d7af7b8ec7bb0f99413ad2699239f1970047c9593b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\98JT253627MZ41Q57ONI.temp

Filesize
7KB

MD5
bb29778a5e99ca434f31e0faa45f0c47

SHA1
c3912ac0242eefb1a01ef9d6872326750da67637

SHA256
0e09fae04087f59a7e83ca8d8503d0915825e7ee6478eb25cbbcaf820efc71a9

SHA512
5581e1b20f1f688d359abc247c336fcdd4560634f19c175ba630b37380678cbc79acad29d921022b8ff13bc94b9443e8cdc662db180a289ac0bf81ffd69a68b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bb29778a5e99ca434f31e0faa45f0c47

SHA1
c3912ac0242eefb1a01ef9d6872326750da67637

SHA256
0e09fae04087f59a7e83ca8d8503d0915825e7ee6478eb25cbbcaf820efc71a9

SHA512
5581e1b20f1f688d359abc247c336fcdd4560634f19c175ba630b37380678cbc79acad29d921022b8ff13bc94b9443e8cdc662db180a289ac0bf81ffd69a68b7

Download Submit
memory/1664-3-0x00000000009F0000-0x0000000000A08000-memory.dmp

Filesize
96KB

Download
memory/1664-4-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/1664-5-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/1664-6-0x0000000007790000-0x000000000780E000-memory.dmp

Filesize
504KB

Download
memory/1664-38-0x00000000009B0000-0x00000000009F0000-memory.dmp

Filesize
256KB

Download
memory/1664-2-0x00000000009B0000-0x00000000009F0000-memory.dmp

Filesize
256KB

Download
memory/1664-1-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1664-19-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1664-40-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1664-0-0x0000000000D20000-0x0000000000E26000-memory.dmp

Filesize
1.0MB

Download
memory/2556-49-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2556-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2556-44-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/2556-43-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2556-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2556-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2556-37-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2556-48-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/2556-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2556-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2556-27-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-34-0x0000000002960000-0x00000000029A0000-memory.dmp

Filesize
256KB

Download
memory/2668-28-0x000000006F030000-0x000000006F5DB000-memory.dmp

Filesize
5.7MB

Download
memory/2668-36-0x0000000002960000-0x00000000029A0000-memory.dmp

Filesize
256KB

Download
memory/2668-46-0x000000006F030000-0x000000006F5DB000-memory.dmp

Filesize
5.7MB

Download
memory/2668-24-0x000000006F030000-0x000000006F5DB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-32-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/2728-30-0x000000006F030000-0x000000006F5DB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-26-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/2728-45-0x000000006F030000-0x000000006F5DB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-22-0x000000006F030000-0x000000006F5DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads