agenttesla | 2d310d80e32cf06ccf6cc5e63e542283bc9a301a31215030733a1f733b0d2346

General

Target

1649e10c12e3b6242ac80048b6623683.exe
Size

1.4MB
MD5

1649e10c12e3b6242ac80048b6623683
SHA1

14a200da1c85b80e688673fcc26f4ac21cf9a6fe
SHA256

2d310d80e32cf06ccf6cc5e63e542283bc9a301a31215030733a1f733b0d2346
SHA512

db5905abd5caf3027d06b513cc3b590a27b090817b0e3deae03abb1f51778481cdf724e202a02f39a12847c72fb3e907aa074de74a00d1130a93f2a19677fb92
SSDEEP

24576:adOTNGD7beQ6fsJcPvKVdtNFS/E+FH/T2fXO:0qU9uknSL/T2/

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1775909572:AAGbTnqPuJBAUZrgQhid9SmcxSSNElS3rh8/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 5 IoCs

resource	yara_rule
behavioral1/memory/1504-30-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1504-33-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1504-28-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1504-25-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1504-24-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2584	schtasks.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2592	1972	1649e10c12e3b6242ac80048b6623683.exe	36
PID 1972 wrote to memory of 2592	1972	1649e10c12e3b6242ac80048b6623683.exe	36
PID 1972 wrote to memory of 2592	1972	1649e10c12e3b6242ac80048b6623683.exe	36
PID 1972 wrote to memory of 2592	1972	1649e10c12e3b6242ac80048b6623683.exe	36

C:\Users\Admin\AppData\Local\Temp\1649e10c12e3b6242ac80048b6623683.exe
"C:\Users\Admin\AppData\Local\Temp\1649e10c12e3b6242ac80048b6623683.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LosJvWlPQthlo.exe"
  2⤵
  PID:2620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LosJvWlPQthlo.exe"
  2⤵
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\1649e10c12e3b6242ac80048b6623683.exe
  "C:\Users\Admin\AppData\Local\Temp\1649e10c12e3b6242ac80048b6623683.exe"
  2⤵
  PID:1504
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LosJvWlPQthlo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB57A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1649e10c12e3b6242ac80048b6623683.exe"
  2⤵
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB57A.tmp

Filesize
1KB

MD5
2617b5a1045ef6105771ff4fcb62a4a8

SHA1
61e5f11fdc3230b7ed209a19295b7f31ec395915

SHA256
b89c669cd2cf16bf50de2200e2cab661d00bf48d98823c39f14761441ef6a6a9

SHA512
4d820376b5936ac73ed2312b19e71b7c5b55de02f2759a1d8b0c283a93caacf165cfdd6582be100ce1c8f808160560a96731e109438198526f1581c3141b58f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EJ3LCPVNMGQIY3JQQYQ6.temp

Filesize
7KB

MD5
24ad03cd538bdb72a2fbba45aa6eba62

SHA1
bae2e7d001291fbdfc93ffe65e2403a302d352c7

SHA256
e0016da8ebb325ed972857128d18f59e724a04affee9c69157f78810861d81f2

SHA512
59f998df6e4f34b74c9bb5d98270d4fff93853b5bd79b09f4de0fd4f47d5a6541b066a276e7d7de5d38165b569c0f56001b3d3310bc6f0b8fd465346b96ba52a

Download Submit
memory/1504-30-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1504-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1504-60-0x0000000001020000-0x0000000001060000-memory.dmp

Filesize
256KB

Download
memory/1504-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1504-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1504-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1504-46-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/1504-58-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/1504-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1504-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1504-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1860-47-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-53-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-48-0x0000000002CD0000-0x0000000002D10000-memory.dmp

Filesize
256KB

Download
memory/1860-52-0x0000000002CD0000-0x0000000002D10000-memory.dmp

Filesize
256KB

Download
memory/1860-51-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-39-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/1972-7-0x0000000000DB0000-0x0000000000DEC000-memory.dmp

Filesize
240KB

Download
memory/1972-0-0x00000000011A0000-0x000000000130A000-memory.dmp

Filesize
1.4MB

Download
memory/1972-2-0x0000000001140000-0x0000000001180000-memory.dmp

Filesize
256KB

Download
memory/1972-3-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/1972-4-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/1972-5-0x0000000001140000-0x0000000001180000-memory.dmp

Filesize
256KB

Download
memory/1972-6-0x00000000051D0000-0x000000000526E000-memory.dmp

Filesize
632KB

Download
memory/1972-1-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-38-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-42-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2592-43-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-44-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2592-50-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2592-55-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/2620-41-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/2620-45-0x0000000002990000-0x00000000029D0000-memory.dmp

Filesize
256KB

Download
memory/2620-40-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/2620-54-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/2620-49-0x0000000002990000-0x00000000029D0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads