agenttesla | 88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d

General

Target

88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe
Size

825KB
MD5

0a39bf5d4de076008d2d22444da4c399
SHA1

34b34d768732b53bb94e87d8dfe061b62a543881
SHA256

88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d
SHA512

b64078159a8211988501276f9a2d4593848d734ef0bbc98ea036c8041513d5aec66fb161ae8ade7f608cc8e02944b3ec27d6f872df48c23860e1087345795447
SSDEEP

12288:c45+po2B1FmXmB5Tf/9TSXQ7l9O8QkfiAk9Xs7Z3aTSPyhe+ZEw3zPDyKMHPTZtn:f+pJ1AmBLZ7l97FeoehRCyPDyKMvO

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail5.planetc.net
Port:
587
Username:
[email protected]
Password:
623434@esit
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2604 schtasks.exe

flow	ioc
2	api.ipify.org

pid	process
2604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe

pid	process
2392	88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe
2392	88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe

description pid process

Token: SeDebugPrivilege 2392 88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe

description	pid	process
Token: SeDebugPrivilege	2392	88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe

description	pid	process	target process
PID 2392 wrote to memory of 1668	2392	88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe	powershell.exe
PID 2392 wrote to memory of 1668	2392	88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe	powershell.exe
PID 2392 wrote to memory of 1668	2392	88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe	powershell.exe
PID 2392 wrote to memory of 1668	2392	88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe	powershell.exe
PID 2392 wrote to memory of 2996	2392	88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe	powershell.exe
PID 2392 wrote to memory of 2996	2392	88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe	powershell.exe
PID 2392 wrote to memory of 2996	2392	88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe	powershell.exe
PID 2392 wrote to memory of 2996	2392	88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe
"C:\Users\Admin\AppData\Local\Temp\88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\88df32aa4765e8db133c4c2f835a90f7889be2c3a8facc9b04db0c1a9422aa9d.exe"
2⤵
PID:1668

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbfYgDromnOtih" /XML "C:\Users\Admin\AppData\Local\Temp\tmp585D.tmp"
2⤵
- Creates scheduled task(s)
PID:2604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UbfYgDromnOtih.exe"
2⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp585D.tmp

Filesize
1KB

MD5
3e7645e320cc86b74ab20f5e9e7dc2d6

SHA1
d323bb2ca25c56e16fe6b5a8d35b6bf533fc4f4d

SHA256
9527e041be6abefb5e008398d725e4431def2310c15d473bb3b3cf8f21d9a6d7

SHA512
94f01dc4d1e6cf84ffe49b43ebf8e04585a73b8ef0a2f002ba39691054cdfba6156d1dacfb6b0082537a9b23254f2dc069254727a23e84128c78edf13b3b7d9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XT7H1DIY9OLVMP1A1GBV.temp

Filesize
7KB

MD5
3b83fe5ba3ec21a3947701d035cc933f

SHA1
6c50196518d05a8b7ca644e7a56dd5ab701d047e

SHA256
e3a2c0c5a4d403d271c60058c9e401443e5e424ff8a463f024069260ce2f02b4

SHA512
234f877d7b6db947ca927f8ae784ce91ae7016d331a48ebd376422782394845b464e4cd707c4acf09f9f79e2f1e05ccb83bf43bbf50e8ae52b788cbf5ded4b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3b83fe5ba3ec21a3947701d035cc933f

SHA1
6c50196518d05a8b7ca644e7a56dd5ab701d047e

SHA256
e3a2c0c5a4d403d271c60058c9e401443e5e424ff8a463f024069260ce2f02b4

SHA512
234f877d7b6db947ca927f8ae784ce91ae7016d331a48ebd376422782394845b464e4cd707c4acf09f9f79e2f1e05ccb83bf43bbf50e8ae52b788cbf5ded4b57

Download Submit
memory/1668-45-0x000000006CDE0000-0x000000006D38B000-memory.dmp

Filesize
5.7MB

Download
memory/1668-25-0x00000000029E0000-0x0000000002A20000-memory.dmp

Filesize
256KB

Download
memory/1668-35-0x00000000029E0000-0x0000000002A20000-memory.dmp

Filesize
256KB

Download
memory/1668-33-0x00000000029E0000-0x0000000002A20000-memory.dmp

Filesize
256KB

Download
memory/1668-29-0x000000006CDE0000-0x000000006D38B000-memory.dmp

Filesize
5.7MB

Download
memory/1668-21-0x000000006CDE0000-0x000000006D38B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-2-0x0000000001FD0000-0x0000000002010000-memory.dmp

Filesize
256KB

Download
memory/2392-3-0x0000000000590000-0x00000000005A8000-memory.dmp

Filesize
96KB

Download
memory/2392-5-0x0000000001F60000-0x0000000001F6A000-memory.dmp

Filesize
40KB

Download
memory/2392-6-0x00000000052A0000-0x000000000531A000-memory.dmp

Filesize
488KB

Download
memory/2392-0-0x00000000000D0000-0x00000000001A4000-memory.dmp

Filesize
848KB

Download
memory/2392-1-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2392-39-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2392-4-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2576-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-42-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-34-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-43-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-47-0x0000000004880000-0x00000000048C0000-memory.dmp

Filesize
256KB

Download
memory/2576-46-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-38-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2996-31-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download
memory/2996-23-0x000000006CDE0000-0x000000006D38B000-memory.dmp

Filesize
5.7MB

Download
memory/2996-41-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download
memory/2996-27-0x000000006CDE0000-0x000000006D38B000-memory.dmp

Filesize
5.7MB

Download
memory/2996-44-0x000000006CDE0000-0x000000006D38B000-memory.dmp

Filesize
5.7MB

Download
memory/2996-36-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads