agenttesla | 214de679f00845231238252dc3295762b74c77b7a2ddd7d7eb38f04321bba1dd

General

Target

purchaseorder.exe
Size

1.5MB
MD5

5821694b0d82baab7a73cfa23a47743c
SHA1

abf662eee6d640057b3a94087145501755e427bf
SHA256

214de679f00845231238252dc3295762b74c77b7a2ddd7d7eb38f04321bba1dd
SHA512

db09b349540a5ccdbc4b66b368f7bc6f45700b499229aadf1539251861e48383528e236b4a1c80fd102bc69da4b21e8b42411e4c3243ad27860a9c26f08b542a
SSDEEP

24576:peDHy9z9rmu9+pJsexc/51hxPINlUI9OiZ1017zUTOqYfIlhChgdgm:ismuOJsOchuUoOj17zUT7YfIlohsgm

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
kex#-rHjHM4qKk52
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

purchaseorder.exe

description pid process target process

PID 1112 set thread context of 2696 1112 purchaseorder.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

872 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepurchaseorder.exeRegSvcs.exe

pid process

1740 powershell.exe
2164 powershell.exe
1112 purchaseorder.exe
1112 purchaseorder.exe
2696 RegSvcs.exe
2696 RegSvcs.exe

description	pid	process	target process
PID 1112 set thread context of 2696	1112	purchaseorder.exe	RegSvcs.exe

pid	process
872	schtasks.exe

pid	process
1740	powershell.exe
2164	powershell.exe
1112	purchaseorder.exe
1112	purchaseorder.exe
2696	RegSvcs.exe
2696	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepurchaseorder.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1112	purchaseorder.exe
Token: SeDebugPrivilege	2696	RegSvcs.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

purchaseorder.exe

description	pid	process	target process
PID 1112 wrote to memory of 1740	1112	purchaseorder.exe	powershell.exe
PID 1112 wrote to memory of 1740	1112	purchaseorder.exe	powershell.exe
PID 1112 wrote to memory of 1740	1112	purchaseorder.exe	powershell.exe
PID 1112 wrote to memory of 1740	1112	purchaseorder.exe	powershell.exe
PID 1112 wrote to memory of 2164	1112	purchaseorder.exe	powershell.exe
PID 1112 wrote to memory of 2164	1112	purchaseorder.exe	powershell.exe
PID 1112 wrote to memory of 2164	1112	purchaseorder.exe	powershell.exe
PID 1112 wrote to memory of 2164	1112	purchaseorder.exe	powershell.exe
PID 1112 wrote to memory of 872	1112	purchaseorder.exe	schtasks.exe
PID 1112 wrote to memory of 872	1112	purchaseorder.exe	schtasks.exe
PID 1112 wrote to memory of 872	1112	purchaseorder.exe	schtasks.exe
PID 1112 wrote to memory of 872	1112	purchaseorder.exe	schtasks.exe
PID 1112 wrote to memory of 2552	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2552	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2552	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2552	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2552	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2552	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2552	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2696	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2696	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2696	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2696	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2696	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2696	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2696	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2696	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2696	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2696	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2696	1112	purchaseorder.exe	RegSvcs.exe
PID 1112 wrote to memory of 2696	1112	purchaseorder.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\purchaseorder.exe
"C:\Users\Admin\AppData\Local\Temp\purchaseorder.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\purchaseorder.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qLKFzy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6114.tmp"
2⤵
- Creates scheduled task(s)
PID:872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qLKFzy.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6114.tmp

Filesize
1KB

MD5
08eeaa1980e8e3aed555030172a57fe0

SHA1
839a1e65e0da50ce16555ac9891e0f8023db137d

SHA256
d26a8bd736969497b1fca5b93371da1f5c9e04f7a8ecfad7ebb36d3eb8b9e88d

SHA512
e6422e32c753a6f010fdc4b5385000460a8d3904ccf3b3b349309d46902b96e758b6432fee491a04e0b41681e17d9b6c2cd2046992a82940224e643b1a88777d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RDOZ4S07O2GW367S96ZW.temp

Filesize
7KB

MD5
931dd554f03a027687be6c9c4bba85ed

SHA1
5188be2297b15ae59b2e001be859b75fa2f43409

SHA256
1d6708aab3a97965ec8b544c11a4433f5876a1629a722d827ef8c3892c2687da

SHA512
c7caefe3e1f7d13d63e946526a549f3c341ad008ae35daf66cba33323b9da10be2bfd02d5c1ef907bf412b7cd1bff04a566f299d3536bab964e174b6c17d8ab4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
931dd554f03a027687be6c9c4bba85ed

SHA1
5188be2297b15ae59b2e001be859b75fa2f43409

SHA256
1d6708aab3a97965ec8b544c11a4433f5876a1629a722d827ef8c3892c2687da

SHA512
c7caefe3e1f7d13d63e946526a549f3c341ad008ae35daf66cba33323b9da10be2bfd02d5c1ef907bf412b7cd1bff04a566f299d3536bab964e174b6c17d8ab4

Download Submit
memory/1112-3-0x0000000000520000-0x0000000000538000-memory.dmp

Filesize
96KB

Download
memory/1112-4-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/1112-5-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/1112-6-0x0000000008250000-0x00000000082CA000-memory.dmp

Filesize
488KB

Download
memory/1112-7-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/1112-1-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/1112-2-0x0000000007180000-0x00000000071C0000-memory.dmp

Filesize
256KB

Download
memory/1112-0-0x0000000000930000-0x0000000000AAE000-memory.dmp

Filesize
1.5MB

Download
memory/1112-20-0x0000000007180000-0x00000000071C0000-memory.dmp

Filesize
256KB

Download
memory/1112-44-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/1740-27-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-48-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-25-0x00000000003D0000-0x0000000000410000-memory.dmp

Filesize
256KB

Download
memory/1740-31-0x00000000003D0000-0x0000000000410000-memory.dmp

Filesize
256KB

Download
memory/1740-21-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-23-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-29-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-47-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-33-0x0000000002A90000-0x0000000002AD0000-memory.dmp

Filesize
256KB

Download
memory/2164-35-0x0000000002A90000-0x0000000002AD0000-memory.dmp

Filesize
256KB

Download
memory/2696-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-43-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2696-45-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/2696-46-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/2696-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-49-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/2696-50-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads