agenttesla | 49e851015562eb9ae6e3ef89adcb911497e4f68b7be32a6a8b89bbb50b76f367

General

Target

INVOICES.exe
Size

859KB
MD5

5be52f675bc550b10626853abf6a2c06
SHA1

58dea8d092e1efa1b8a80c948fc633cbf48b550c
SHA256

49e851015562eb9ae6e3ef89adcb911497e4f68b7be32a6a8b89bbb50b76f367
SHA512

3ac6ba00bb2e00d8d13efd3bf9f7379e4438160d479231f50e5c14bd4b3ebe7a33293ad1f899139fcf6cd291822d31f25dadbeafe003906978f436259fefba5d
SSDEEP

24576:Imqde8PrKEAtzF1p22HiLFFQzUUybhxxGp/8q:I7dNxAppAnFUchDl

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.gimpex-imerys.com
Port:
587
Username:
[email protected]
Password:
h45ZVRb6(IMF
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2664 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

INVOICES.exe

pid process

688 INVOICES.exe
688 INVOICES.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

INVOICES.exe

description pid process

Token: SeDebugPrivilege 688 INVOICES.exe

pid	process
2664	schtasks.exe

pid	process
688	INVOICES.exe
688	INVOICES.exe

description	pid	process
Token: SeDebugPrivilege	688	INVOICES.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

INVOICES.exe

description	pid	process	target process
PID 688 wrote to memory of 2708	688	INVOICES.exe	powershell.exe
PID 688 wrote to memory of 2708	688	INVOICES.exe	powershell.exe
PID 688 wrote to memory of 2708	688	INVOICES.exe	powershell.exe
PID 688 wrote to memory of 2708	688	INVOICES.exe	powershell.exe
PID 688 wrote to memory of 2664	688	INVOICES.exe	schtasks.exe
PID 688 wrote to memory of 2664	688	INVOICES.exe	schtasks.exe
PID 688 wrote to memory of 2664	688	INVOICES.exe	schtasks.exe
PID 688 wrote to memory of 2664	688	INVOICES.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\INVOICES.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICES.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qisxFtGbSdXp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96E3.tmp"
2⤵
- Creates scheduled task(s)
PID:2664

C:\Users\Admin\AppData\Local\Temp\INVOICES.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICES.exe"
2⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\INVOICES.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICES.exe"
2⤵
PID:2516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qisxFtGbSdXp.exe"
2⤵
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp96E3.tmp

Filesize
1KB

MD5
c36b271fb5bc2ec5227455a334e6547a

SHA1
267017a15323b4ff65b6a22a4289ef5bb8bc7edb

SHA256
b36080b112ccce19786e6345648a608f35565f3aadcd4738c240124d593d55e1

SHA512
a6958dbbe1929b8da7ee2f3610983f4d5681868daee793147e1023fe3cd4fe893a1fb8c8192190c03d48dda095b3f638eafc838f553dde09892d54a1670d1a3b

Download Submit
memory/688-29-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/688-1-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/688-2-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/688-3-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/688-5-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/688-4-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/688-6-0x0000000005CA0000-0x0000000005D2E000-memory.dmp

Filesize
568KB

Download
memory/688-0-0x0000000000DE0000-0x0000000000EBE000-memory.dmp

Filesize
888KB

Download
memory/2348-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-30-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2348-36-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2348-37-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/2348-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2348-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-31-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/2348-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-34-0x00000000007E0000-0x0000000000820000-memory.dmp

Filesize
256KB

Download
memory/2708-35-0x000000006E790000-0x000000006ED3B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-33-0x000000006E790000-0x000000006ED3B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-32-0x000000006E790000-0x000000006ED3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads