agenttesla | 9b1467ae3a894ccf263978e4c11e2e8f229af2544c18ef429318384bbbeec69d

General

Target

URGENT REQUEST FOR QUOTATION.exe
Size

645KB
MD5

713ecfa2ce41e3edee829b9a4f9b5c74
SHA1

c23cf057a296df55472ceaab86bc9637cfea0f2d
SHA256

3af8e8d96431992127c5774977cb7b3ea300c4ef8b23a620f0213f42b79584d9
SHA512

9903dde3c8cc3fd7f945661f62afdecd06a391a895f6ba784395b911321e83f16e678b5c601b73416e1b3235d22ceaa5323eacc94afc609ff5db6c88d08606bf
SSDEEP

12288:2kvQaueH5qi/Uqiwq7ay1Lc2wlyoVnqC52sour7aMvi:2ktqi/tiwquy19QyoVXQhurP

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.precise.co.in
Port:
587
Username:
[email protected]
Password:
Singh@2022$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2196	URGENT REQUEST FOR QUOTATION.exe
2196	URGENT REQUEST FOR QUOTATION.exe
2196	URGENT REQUEST FOR QUOTATION.exe
2196	URGENT REQUEST FOR QUOTATION.exe
2196	URGENT REQUEST FOR QUOTATION.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	URGENT REQUEST FOR QUOTATION.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2072	2196	URGENT REQUEST FOR QUOTATION.exe	35
PID 2196 wrote to memory of 2072	2196	URGENT REQUEST FOR QUOTATION.exe	35
PID 2196 wrote to memory of 2072	2196	URGENT REQUEST FOR QUOTATION.exe	35
PID 2196 wrote to memory of 2072	2196	URGENT REQUEST FOR QUOTATION.exe	35
PID 2196 wrote to memory of 2800	2196	URGENT REQUEST FOR QUOTATION.exe	34
PID 2196 wrote to memory of 2800	2196	URGENT REQUEST FOR QUOTATION.exe	34
PID 2196 wrote to memory of 2800	2196	URGENT REQUEST FOR QUOTATION.exe	34
PID 2196 wrote to memory of 2800	2196	URGENT REQUEST FOR QUOTATION.exe	34

C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST FOR QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST FOR QUOTATION.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2592
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kVbSXFovGp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7687.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2596
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kVbSXFovGp.exe"
  2⤵
  PID:2800
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST FOR QUOTATION.exe"
  2⤵
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7687.tmp

Filesize
1KB

MD5
def26a244b94d8358494cbf42c7d30d2

SHA1
e8b826e4051488b44930e440dfd9d63ac8ce8b37

SHA256
7e4fee271b1b8864a8c71e96d7ee31c04db109c47d81c62cdb9243619c158bd5

SHA512
41dccc5bcfe7d0e86db949b9902ecb2e743b49aeb77c4a3f4dfad44fc11783175bc8f39f62a7d1376bed028ad01a259cc76d110c9299bd62c656610df035eb9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A5P1A5H2TVRL9Q2EI0CI.temp

Filesize
7KB

MD5
d4cf468a7eaf9fce227a96ff820bc428

SHA1
699f7c61ecbfab0cf8b949ed0e2f36e45de4b7cc

SHA256
290728b1d07e347fc6e90de876bdabccae626e81fd6d5043f948b796e03dd37d

SHA512
9f6c553460fb581d3bb50fc95c18082d2b66b2c9913b6f4d1d5d8fa183a624ddd86ccb87fe1d63ed2395c5db59f7d9ca1074712d9f6810e21e5f4d44683ff425

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d4cf468a7eaf9fce227a96ff820bc428

SHA1
699f7c61ecbfab0cf8b949ed0e2f36e45de4b7cc

SHA256
290728b1d07e347fc6e90de876bdabccae626e81fd6d5043f948b796e03dd37d

SHA512
9f6c553460fb581d3bb50fc95c18082d2b66b2c9913b6f4d1d5d8fa183a624ddd86ccb87fe1d63ed2395c5db59f7d9ca1074712d9f6810e21e5f4d44683ff425

Download Submit
memory/2072-28-0x000000006F3D0000-0x000000006F97B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-44-0x000000006F3D0000-0x000000006F97B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-22-0x000000006F3D0000-0x000000006F97B000-memory.dmp

Filesize
5.7MB

Download
memory/2196-5-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/2196-7-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2196-8-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download
memory/2196-6-0x0000000004EA0000-0x0000000004F1C000-memory.dmp

Filesize
496KB

Download
memory/2196-4-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2196-3-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2196-2-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download
memory/2196-41-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2196-1-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2196-0-0x0000000000FD0000-0x0000000001078000-memory.dmp

Filesize
672KB

Download
memory/2592-42-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-38-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2592-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-47-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-43-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/2800-26-0x0000000002C40000-0x0000000002C80000-memory.dmp

Filesize
256KB

Download
memory/2800-45-0x000000006F3D0000-0x000000006F97B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-24-0x000000006F3D0000-0x000000006F97B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-30-0x000000006F3D0000-0x000000006F97B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads