agenttesla | 18823ee2c8f0eb332d3519eb7bad50124ddaab05364eaf1f4cbf26efa846f33a

Analysis

max time kernel
17s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2023 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDERN.F1676.23.exe
Size

800KB
MD5

48f3c7c07b24927689c8de637ee7b567
SHA1

47adfbcf07c63668c020c3f0c49a35668ec65a75
SHA256

18823ee2c8f0eb332d3519eb7bad50124ddaab05364eaf1f4cbf26efa846f33a
SHA512

e23fdc41a5e8ee6e3824ca7e4c338e0f9d6a336b81fc0d594d619ebae3a0a428d6d96557bcbc1e0acbd79e08934f56da836314786d7aa6beb5eafba5ef791ee4
SSDEEP

12288:0dKE6jD/62iNG5nF8BZlfr5Syj74fK9UrAfZRqusn9DwqoPLwbVl335kypwbfest:0dKtD/61Ic3FyrABRi9UqBDH5luGC

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.abi0expertise.com
Port:
587
Username:
[email protected]
Password:
Najwa1949!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2624 schtasks.exe

pid	process
2624	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ORDERN.F1676.23.exe
"C:\Users\Admin\AppData\Local\Temp\ORDERN.F1676.23.exe"
1⤵
PID:3032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\THfPxk.exe"
2⤵
PID:2724

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\THfPxk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp83B7.tmp"
2⤵
- Creates scheduled task(s)
PID:2624

C:\Users\Admin\AppData\Local\Temp\ORDERN.F1676.23.exe
"C:\Users\Admin\AppData\Local\Temp\ORDERN.F1676.23.exe"
2⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fh0kmj2q.zak.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp83B7.tmp

Filesize
1KB

MD5
657d9035a344cb85d3bfd21eef06d1ee

SHA1
455af485d576046ac52b44dc292a99d726fd9126

SHA256
3b00a7981b463ade82c6f48ee7f0ff2849c40447d63bde3ad8a8b4dc503fdca8

SHA512
dfaa8220cef01d62ea73f9a8e2af525cd08ae7aa007e239b75735830fe35c108d2c8242328ae10949401eac18debc02d9446ed28c207b0ca139a2fb8db0f23d1

Download Submit
memory/2724-61-0x0000000007B70000-0x0000000007C06000-memory.dmp

Filesize
600KB

Download
memory/2724-66-0x0000000007C10000-0x0000000007C18000-memory.dmp

Filesize
32KB

Download
memory/2724-69-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2724-65-0x0000000007C30000-0x0000000007C4A000-memory.dmp

Filesize
104KB

Download
memory/2724-64-0x0000000007B30000-0x0000000007B44000-memory.dmp

Filesize
80KB

Download
memory/2724-63-0x0000000007B20000-0x0000000007B2E000-memory.dmp

Filesize
56KB

Download
memory/2724-43-0x000000007FD10000-0x000000007FD20000-memory.dmp

Filesize
64KB

Download
memory/2724-44-0x0000000007580000-0x00000000075B2000-memory.dmp

Filesize
200KB

Download
memory/2724-45-0x0000000071580000-0x00000000715CC000-memory.dmp

Filesize
304KB

Download
memory/2724-15-0x0000000002CA0000-0x0000000002CD6000-memory.dmp

Filesize
216KB

Download
memory/2724-20-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/2724-22-0x00000000055F0000-0x0000000005612000-memory.dmp

Filesize
136KB

Download
memory/2724-29-0x0000000005FD0000-0x0000000006324000-memory.dmp

Filesize
3.3MB

Download
memory/2724-62-0x0000000007AF0000-0x0000000007B01000-memory.dmp

Filesize
68KB

Download
memory/2724-60-0x0000000007960000-0x000000000796A000-memory.dmp

Filesize
40KB

Download
memory/2724-41-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/2724-42-0x00000000065F0000-0x000000000663C000-memory.dmp

Filesize
304KB

Download
memory/2724-58-0x0000000007F30000-0x00000000085AA000-memory.dmp

Filesize
6.5MB

Download
memory/2724-59-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/2724-27-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/2724-55-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/2724-24-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/2724-56-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/2724-57-0x00000000077C0000-0x0000000007863000-memory.dmp

Filesize
652KB

Download
memory/2724-16-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2724-19-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/2724-17-0x00000000057C0000-0x0000000005DE8000-memory.dmp

Filesize
6.2MB

Download
memory/3032-5-0x00000000057F0000-0x00000000057FA000-memory.dmp

Filesize
40KB

Download
memory/3032-26-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/3032-7-0x0000000005B80000-0x0000000005B88000-memory.dmp

Filesize
32KB

Download
memory/3032-9-0x0000000007190000-0x000000000720A000-memory.dmp

Filesize
488KB

Download
memory/3032-28-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/3032-10-0x0000000006F60000-0x0000000006FFC000-memory.dmp

Filesize
624KB

Download
memory/3032-2-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/3032-0-0x0000000000D30000-0x0000000000DFE000-memory.dmp

Filesize
824KB

Download
memory/3032-3-0x0000000005840000-0x00000000058D2000-memory.dmp

Filesize
584KB

Download
memory/3032-4-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/3032-1-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/3032-18-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/3032-8-0x0000000005BA0000-0x0000000005BAA000-memory.dmp

Filesize
40KB

Download
memory/3032-6-0x0000000005950000-0x0000000005968000-memory.dmp

Filesize
96KB

Download
memory/4440-30-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4440-71-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4440-70-0x0000000005FE0000-0x0000000006030000-memory.dmp

Filesize
320KB

Download
memory/4440-72-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/4440-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4440-36-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads