agenttesla | ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490

General

Target

ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
Size

622KB
MD5

1e8ecb9d9a5327abd414a0195c523628
SHA1

358da33c9b8f0334a835ecb910e22359e718a7bc
SHA256

ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490
SHA512

7c7ece4b3c052a33994ed38a77e2b200b26c31232f258ff0f4f6166bb6d031c80e3052697b6645fd57e420827d5a9e54a8b4989ebf88c218cf00e27b471b6ed1
SSDEEP

12288:ra5WGDPMJfniGQaw9TPs39kSmeC2xeVyaEX3nXUD51rx:Z9/rjMPs3VK2xeVpEnkl1

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6510566783:AAEqx5Uod2gO5hHDZ1xznAnHyO5uFneWegY/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe

description	pid	process	target process
PID 2872 set thread context of 2984	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2656 schtasks.exe

pid	process
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exepowershell.exeed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe

pid	process
2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
2052	powershell.exe
2984	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
2984	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exepowershell.exeed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe

description	pid	process
Token: SeDebugPrivilege	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2984	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe

pid process

2984 ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe

pid	process
2984	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe

C:\Users\Admin\AppData\Local\Temp\ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
"C:\Users\Admin\AppData\Local\Temp\ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lUaPONLS.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lUaPONLS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp421F.tmp"
2⤵
- Creates scheduled task(s)
PID:2656

C:\Users\Admin\AppData\Local\Temp\ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
"C:\Users\Admin\AppData\Local\Temp\ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe"
2⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
"C:\Users\Admin\AppData\Local\Temp\ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

4

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp421F.tmp
Filesize
1KB

MD5
47da611057c5e0a3b5bb80c192d6f699

SHA1
68d4199949f31d2624456703ef8a1e7093fe1f9c

SHA256
34d55e89f51078da201b3417f2ea6979816fd2ff4de58cba21e882ee59b10a6c

SHA512
61dd44b15bdb0027812f0023cd56788f6e4994933234065b0f6f6e662ad62476593a6a5d8347c4772fbb2ed0c4f841ec772b764d6ecda3ef9831de304737f4c0

Download Submit
memory/2052-30-0x000000006EA40000-0x000000006EFEB000-memory.dmp

Filesize
5.7MB

Download
memory/2052-27-0x000000006EA40000-0x000000006EFEB000-memory.dmp

Filesize
5.7MB

Download
memory/2052-28-0x0000000001D40000-0x0000000001D80000-memory.dmp

Filesize
256KB

Download
memory/2052-29-0x000000006EA40000-0x000000006EFEB000-memory.dmp

Filesize
5.7MB

Download
memory/2052-26-0x0000000001D40000-0x0000000001D80000-memory.dmp

Filesize
256KB

Download
memory/2872-24-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-3-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2872-0-0x0000000000B30000-0x0000000000BD0000-memory.dmp

Filesize
640KB

Download
memory/2872-2-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/2872-4-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2872-5-0x0000000005CB0000-0x0000000005D32000-memory.dmp

Filesize
520KB

Download
memory/2872-1-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2984-25-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-31-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 2872 wrote to memory of 2052	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	powershell.exe
PID 2872 wrote to memory of 2052	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	powershell.exe
PID 2872 wrote to memory of 2052	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	powershell.exe
PID 2872 wrote to memory of 2052	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	powershell.exe
PID 2872 wrote to memory of 2656	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	schtasks.exe
PID 2872 wrote to memory of 2656	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	schtasks.exe
PID 2872 wrote to memory of 2656	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	schtasks.exe
PID 2872 wrote to memory of 2656	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	schtasks.exe
PID 2872 wrote to memory of 2748	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
PID 2872 wrote to memory of 2748	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
PID 2872 wrote to memory of 2748	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
PID 2872 wrote to memory of 2748	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
PID 2872 wrote to memory of 2984	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
PID 2872 wrote to memory of 2984	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
PID 2872 wrote to memory of 2984	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
PID 2872 wrote to memory of 2984	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
PID 2872 wrote to memory of 2984	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
PID 2872 wrote to memory of 2984	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
PID 2872 wrote to memory of 2984	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
PID 2872 wrote to memory of 2984	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe
PID 2872 wrote to memory of 2984	2872	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe	ed23f75c269f80d52f41bed70deb30ad4429268db9792f770f6b609c03480490.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads