agenttesla | bbd2977d69441d934917ec16e2adf08db3a5ba8a55d2800edff5715dbcb80a23

General

Target

e01f1380aeb3502ac454470540ad53c5.exe
Size

1.3MB
MD5

e01f1380aeb3502ac454470540ad53c5
SHA1

6da056bd6c1c4b0f34f5d7ceff58398729eb9129
SHA256

bbd2977d69441d934917ec16e2adf08db3a5ba8a55d2800edff5715dbcb80a23
SHA512

dbc5ac80248b4cc81390bd9b07150156373925b608657c4db907658ad7190a80e629903ecb7f0949e557ac28321f84bd88421643b96d2a62fc3cfb5953cd4267
SSDEEP

24576:VCvxKFksKksqv7JvZI14dCp9fLSUNBOvx5y8jP8N6ZxHaE75/dZZ:VCvxKXJvZIJfLl7YEN6Zxb

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.vivaldi.net
Port:
587
Username:
[email protected]
Password:
67968664JeBlachqwin

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2232-12-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2232-13-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2232-16-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2232-18-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2232-20-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

e01f1380aeb3502ac454470540ad53c5.exe

description pid process target process

PID 2840 set thread context of 2232 2840 e01f1380aeb3502ac454470540ad53c5.exe e01f1380aeb3502ac454470540ad53c5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2404 schtasks.exe

description	pid	process	target process
PID 2840 set thread context of 2232	2840	e01f1380aeb3502ac454470540ad53c5.exe	e01f1380aeb3502ac454470540ad53c5.exe

pid	process
2404	schtasks.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

e01f1380aeb3502ac454470540ad53c5.exee01f1380aeb3502ac454470540ad53c5.exe

description	pid	process	target process
PID 2840 wrote to memory of 2404	2840	e01f1380aeb3502ac454470540ad53c5.exe	schtasks.exe
PID 2840 wrote to memory of 2404	2840	e01f1380aeb3502ac454470540ad53c5.exe	schtasks.exe
PID 2840 wrote to memory of 2404	2840	e01f1380aeb3502ac454470540ad53c5.exe	schtasks.exe
PID 2840 wrote to memory of 2404	2840	e01f1380aeb3502ac454470540ad53c5.exe	schtasks.exe
PID 2840 wrote to memory of 2232	2840	e01f1380aeb3502ac454470540ad53c5.exe	e01f1380aeb3502ac454470540ad53c5.exe
PID 2840 wrote to memory of 2232	2840	e01f1380aeb3502ac454470540ad53c5.exe	e01f1380aeb3502ac454470540ad53c5.exe
PID 2840 wrote to memory of 2232	2840	e01f1380aeb3502ac454470540ad53c5.exe	e01f1380aeb3502ac454470540ad53c5.exe
PID 2840 wrote to memory of 2232	2840	e01f1380aeb3502ac454470540ad53c5.exe	e01f1380aeb3502ac454470540ad53c5.exe
PID 2840 wrote to memory of 2232	2840	e01f1380aeb3502ac454470540ad53c5.exe	e01f1380aeb3502ac454470540ad53c5.exe
PID 2840 wrote to memory of 2232	2840	e01f1380aeb3502ac454470540ad53c5.exe	e01f1380aeb3502ac454470540ad53c5.exe
PID 2840 wrote to memory of 2232	2840	e01f1380aeb3502ac454470540ad53c5.exe	e01f1380aeb3502ac454470540ad53c5.exe
PID 2840 wrote to memory of 2232	2840	e01f1380aeb3502ac454470540ad53c5.exe	e01f1380aeb3502ac454470540ad53c5.exe
PID 2840 wrote to memory of 2232	2840	e01f1380aeb3502ac454470540ad53c5.exe	e01f1380aeb3502ac454470540ad53c5.exe
PID 2232 wrote to memory of 472	2232	e01f1380aeb3502ac454470540ad53c5.exe	dw20.exe
PID 2232 wrote to memory of 472	2232	e01f1380aeb3502ac454470540ad53c5.exe	dw20.exe
PID 2232 wrote to memory of 472	2232	e01f1380aeb3502ac454470540ad53c5.exe	dw20.exe
PID 2232 wrote to memory of 472	2232	e01f1380aeb3502ac454470540ad53c5.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe
"C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bspspeOPHY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2AB8.tmp"
2⤵
- Creates scheduled task(s)
PID:2404

C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe
"C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 388
3⤵
PID:472

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2AB8.tmp
Filesize
1KB

MD5
950adc31ae8361784bb8fa791653708f

SHA1
d485fe3f73a757bce23a55a69945aad89a91c594

SHA256
b6c4151d1463bb6d536065265f07591b7a0893ece83d2dea142f50a79310d308

SHA512
d1f1457c6969a794c5c8d921e7e431c72020751d30b2aa62d89c70557cbc5b02c18a690d6cd5be68ff3d7dcb2cd4bca2c86e552bd1fd8f773349920233c81941

Download Submit
memory/472-28-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/472-25-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2232-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2232-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2232-27-0x0000000000580000-0x00000000005C0000-memory.dmp

Filesize
256KB

Download
memory/2232-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2232-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2232-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2232-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2232-26-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2232-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2232-22-0x0000000000580000-0x00000000005C0000-memory.dmp

Filesize
256KB

Download
memory/2232-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2232-21-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2232-23-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2840-4-0x0000000000A30000-0x0000000000A70000-memory.dmp

Filesize
256KB

Download
memory/2840-24-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2840-2-0x0000000000A30000-0x0000000000A70000-memory.dmp

Filesize
256KB

Download
memory/2840-0-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2840-3-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2840-1-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads