agenttesla | da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6

General

Target

rInquiry.exe
Size

602KB
MD5

cdef16a2a2116cd907aa817b11217cfd
SHA1

d23ba1f017c0e65ba65203c889a2bea963d63d3a
SHA256

da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6
SHA512

9ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae
SSDEEP

12288:lYyGYZS6ESbpYa4i2BzmVNhsBQN/nRTOPihFr3iUR42q6N:IUDESbwylT/nRKWrPN

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
terminal4.veeblehosting.com
Port:
587
Username:
[email protected]
Password:
Ifeanyi1987@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2604 svchost.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

2496 cmd.exe
2352 WerFault.exe
2352 WerFault.exe
2352 WerFault.exe
2352 WerFault.exe
2352 WerFault.exe

pid	process
2604	svchost.exe

pid	process
2496	cmd.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rInquiry.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	rInquiry.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2604 set thread context of 2856 2604 svchost.exe installutil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2476 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2508 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rInquiry.exeinstallutil.exe

pid process

1764 rInquiry.exe
1764 rInquiry.exe
2856 installutil.exe
2856 installutil.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

rInquiry.exesvchost.exeinstallutil.exe

description pid process

Token: SeDebugPrivilege 1764 rInquiry.exe
Token: SeDebugPrivilege 2604 svchost.exe
Token: SeDebugPrivilege 2856 installutil.exe

flow	ioc
4	ip-api.com

description	pid	process	target process
PID 2604 set thread context of 2856	2604	svchost.exe	installutil.exe

pid	process
2476	schtasks.exe

pid	process
2508	timeout.exe

pid	process
1764	rInquiry.exe
1764	rInquiry.exe
2856	installutil.exe
2856	installutil.exe

description	pid	process
Token: SeDebugPrivilege	1764	rInquiry.exe
Token: SeDebugPrivilege	2604	svchost.exe
Token: SeDebugPrivilege	2856	installutil.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

rInquiry.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 1764 wrote to memory of 2688	1764	rInquiry.exe	cmd.exe
PID 1764 wrote to memory of 2688	1764	rInquiry.exe	cmd.exe
PID 1764 wrote to memory of 2688	1764	rInquiry.exe	cmd.exe
PID 1764 wrote to memory of 2496	1764	rInquiry.exe	cmd.exe
PID 1764 wrote to memory of 2496	1764	rInquiry.exe	cmd.exe
PID 1764 wrote to memory of 2496	1764	rInquiry.exe	cmd.exe
PID 2496 wrote to memory of 2508	2496	cmd.exe	timeout.exe
PID 2496 wrote to memory of 2508	2496	cmd.exe	timeout.exe
PID 2496 wrote to memory of 2508	2496	cmd.exe	timeout.exe
PID 2688 wrote to memory of 2476	2688	cmd.exe	schtasks.exe
PID 2688 wrote to memory of 2476	2688	cmd.exe	schtasks.exe
PID 2688 wrote to memory of 2476	2688	cmd.exe	schtasks.exe
PID 2496 wrote to memory of 2604	2496	cmd.exe	svchost.exe
PID 2496 wrote to memory of 2604	2496	cmd.exe	svchost.exe
PID 2496 wrote to memory of 2604	2496	cmd.exe	svchost.exe
PID 2604 wrote to memory of 2856	2604	svchost.exe	installutil.exe
PID 2604 wrote to memory of 2856	2604	svchost.exe	installutil.exe
PID 2604 wrote to memory of 2856	2604	svchost.exe	installutil.exe
PID 2604 wrote to memory of 2856	2604	svchost.exe	installutil.exe
PID 2604 wrote to memory of 2856	2604	svchost.exe	installutil.exe
PID 2604 wrote to memory of 2856	2604	svchost.exe	installutil.exe
PID 2604 wrote to memory of 2856	2604	svchost.exe	installutil.exe
PID 2604 wrote to memory of 2856	2604	svchost.exe	installutil.exe
PID 2604 wrote to memory of 2856	2604	svchost.exe	installutil.exe
PID 2604 wrote to memory of 2856	2604	svchost.exe	installutil.exe
PID 2604 wrote to memory of 2856	2604	svchost.exe	installutil.exe
PID 2604 wrote to memory of 2856	2604	svchost.exe	installutil.exe
PID 2604 wrote to memory of 2352	2604	svchost.exe	WerFault.exe
PID 2604 wrote to memory of 2352	2604	svchost.exe	WerFault.exe
PID 2604 wrote to memory of 2352	2604	svchost.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\rInquiry.exe
"C:\Users\Admin\AppData\Local\Temp\rInquiry.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1F82.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2508

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2604 -s 712
4⤵
- Loads dropped DLL
PID:2352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1F82.tmp.bat
Filesize
151B

MD5
92f308274d1dc168324d3753c721d50a

SHA1
6c36f0b5d34ccf40fceab8a8184c6316612ed9ba

SHA256
0d2caf6be19f89f2e64efe03a0aa639c7fcc783913eed3569c5614287e7253f9

SHA512
f384b83835c09c507a237c3dd633d718ed76f4c65b7e614aecd2143edd294da955ce7a600268c68ad35630d95e6975acc589659597f0fe1f477db155942bd113

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
602KB

MD5
cdef16a2a2116cd907aa817b11217cfd

SHA1
d23ba1f017c0e65ba65203c889a2bea963d63d3a

SHA256
da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6

SHA512
9ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae

Download Submit
memory/1764-0-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1764-1-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1764-2-0x000000001B280000-0x000000001B300000-memory.dmp

Filesize
512KB

Download
memory/1764-3-0x0000000001EA0000-0x0000000001F36000-memory.dmp

Filesize
600KB

Download
memory/1764-13-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2604-18-0x0000000001350000-0x0000000001358000-memory.dmp

Filesize
32KB

Download
memory/2604-19-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-20-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2604-39-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2604-38-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2856-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2856-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2856-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2856-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2856-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2856-35-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2856-37-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download
memory/2856-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2856-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2856-40-0x0000000074810000-0x0000000074EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2856-41-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads