agenttesla | fadb9cbc4472d82e46fdbaa4ba5d74b4fcf46e92081050829405e210a5337f52

General

Target

Order 4102672345.exe
Size

639KB
MD5

e00ea5e1e1b9b1f8a63cb79f7c870359
SHA1

dce9d736e1e7865b925a6e77977440528fc77579
SHA256

07463687693e68947b76ead68ae75f764649c80725f4914cde0eaf0d1c4644d7
SHA512

427de637a2676e021654b3932095299e6674802db562532802bdcfc1eb7747121ca6608c61b4e4e3388293ae10f8d43ebc6fc34ccd23cdd1caf457cc912ac609
SSDEEP

12288:g97QaueH5qXSFVWKmcLht4aNkWOJGx4gW8POHnUbVvaoL:g9ZqAUeht4OxekAUByo

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.vrlogistic.com
Port:
587
Username:
[email protected]
Password:
@dmin@123
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2504 schtasks.exe

pid	process
2504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Order 4102672345.exepowershell.exepowershell.exe

pid	process
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
3064	powershell.exe
2768	powershell.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe
1428	Order 4102672345.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Order 4102672345.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1428	Order 4102672345.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Order 4102672345.exe

description	pid	process	target process
PID 1428 wrote to memory of 3064	1428	Order 4102672345.exe	powershell.exe
PID 1428 wrote to memory of 3064	1428	Order 4102672345.exe	powershell.exe
PID 1428 wrote to memory of 3064	1428	Order 4102672345.exe	powershell.exe
PID 1428 wrote to memory of 3064	1428	Order 4102672345.exe	powershell.exe
PID 1428 wrote to memory of 2768	1428	Order 4102672345.exe	powershell.exe
PID 1428 wrote to memory of 2768	1428	Order 4102672345.exe	powershell.exe
PID 1428 wrote to memory of 2768	1428	Order 4102672345.exe	powershell.exe
PID 1428 wrote to memory of 2768	1428	Order 4102672345.exe	powershell.exe
PID 1428 wrote to memory of 2504	1428	Order 4102672345.exe	schtasks.exe
PID 1428 wrote to memory of 2504	1428	Order 4102672345.exe	schtasks.exe
PID 1428 wrote to memory of 2504	1428	Order 4102672345.exe	schtasks.exe
PID 1428 wrote to memory of 2504	1428	Order 4102672345.exe	schtasks.exe
PID 1428 wrote to memory of 2668	1428	Order 4102672345.exe	RegSvcs.exe
PID 1428 wrote to memory of 2668	1428	Order 4102672345.exe	RegSvcs.exe
PID 1428 wrote to memory of 2668	1428	Order 4102672345.exe	RegSvcs.exe
PID 1428 wrote to memory of 2668	1428	Order 4102672345.exe	RegSvcs.exe
PID 1428 wrote to memory of 2668	1428	Order 4102672345.exe	RegSvcs.exe
PID 1428 wrote to memory of 2668	1428	Order 4102672345.exe	RegSvcs.exe
PID 1428 wrote to memory of 2668	1428	Order 4102672345.exe	RegSvcs.exe
PID 1428 wrote to memory of 2668	1428	Order 4102672345.exe	RegSvcs.exe
PID 1428 wrote to memory of 2668	1428	Order 4102672345.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Order 4102672345.exe
"C:\Users\Admin\AppData\Local\Temp\Order 4102672345.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order 4102672345.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CombpHV.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CombpHV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6171.tmp"
2⤵
- Creates scheduled task(s)
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6171.tmp

Filesize
1KB

MD5
e7ff102914157da323d65d48d65fc26e

SHA1
209cee8cd2bfa3ed57aa034fd8ff32cd0dd5584e

SHA256
478c52d43950e7575f1b17951aeacde6272735e0c98120dae5232216a4bef5af

SHA512
871198b157eaa8ffa3168fbe44c6cfdf67a9d5d15d3ac67cbaf176bdb8b7f1d12340a8cada00126adacd8883c6c3a0fcda7966446f3c67b29b1c5ce959abb57a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VPFBBQLG5UZMUJ8O2MUB.temp

Filesize
7KB

MD5
f7867a058969d403c25488cae7077f4b

SHA1
133e044f8268c9f2bcdef25547c1e02176af16b1

SHA256
3a4b6b1f110a301a742672a59509ce3ea3d6aa6b87445eeb212b925a6cd0da25

SHA512
7190703974461185d3ccd2ede81b0c4cd30cf5462eeedf99f2f2c97017628c14c198eab5db16fbe0acd62dca8a74f1ab6235a9e48d610a2dc7969aa57b47ff07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f7867a058969d403c25488cae7077f4b

SHA1
133e044f8268c9f2bcdef25547c1e02176af16b1

SHA256
3a4b6b1f110a301a742672a59509ce3ea3d6aa6b87445eeb212b925a6cd0da25

SHA512
7190703974461185d3ccd2ede81b0c4cd30cf5462eeedf99f2f2c97017628c14c198eab5db16fbe0acd62dca8a74f1ab6235a9e48d610a2dc7969aa57b47ff07

Download Submit
memory/1428-5-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/1428-4-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/1428-0-0x00000000003C0000-0x0000000000464000-memory.dmp

Filesize
656KB

Download
memory/1428-6-0x0000000005300000-0x000000000537C000-memory.dmp

Filesize
496KB

Download
memory/1428-7-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/1428-3-0x0000000000490000-0x00000000004AA000-memory.dmp

Filesize
104KB

Download
memory/1428-2-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/1428-1-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/1428-20-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/2668-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-21-0x000000006E8B0000-0x000000006EE5B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-29-0x000000006E8B0000-0x000000006EE5B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-25-0x0000000002950000-0x0000000002990000-memory.dmp

Filesize
256KB

Download
memory/2768-34-0x000000006E8B0000-0x000000006EE5B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-23-0x000000006E8B0000-0x000000006EE5B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-27-0x000000006E8B0000-0x000000006EE5B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-30-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/3064-33-0x000000006E8B0000-0x000000006EE5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads