agenttesla | 31aeeb6ce979eed704ead00a328df97e2d26690a02e5a29a1d2070dff1ab27b6

General

Target

LOADING ADVICE.exe
Size

744KB
MD5

7723ce30a13cd21918ec8a9ba6756f0f
SHA1

940e9d687cf6d972a365346802c0f8a9be5c1b21
SHA256

31aeeb6ce979eed704ead00a328df97e2d26690a02e5a29a1d2070dff1ab27b6
SHA512

e20c694048c1e552077bee886552a67da76ff4ef4ac26060a7fb5db78684602f47bcfdd2848ecbb029886a9b8dae18940137cfdddb64a88d9fa94eb433de7300
SSDEEP

12288:U1mwygw0BxF25eAMkeB+s/uUZ6VfQh/MjOcSKYGMAGZLYRtDmId0ajL6USkY:UBjZxgKTgs/uzfVj5Y0GRYOId0ajmuY

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.shivomrealty.com
Port:
587
Username:
[email protected]
Password:
Priya1982#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

LOADING ADVICE.exe

description pid process target process

PID 1888 set thread context of 2524 1888 LOADING ADVICE.exe LOADING ADVICE.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2628 schtasks.exe

description	pid	process	target process
PID 1888 set thread context of 2524	1888	LOADING ADVICE.exe	LOADING ADVICE.exe

pid	process
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

LOADING ADVICE.exeLOADING ADVICE.exepowershell.exepowershell.exe

pid	process
1888	LOADING ADVICE.exe
1888	LOADING ADVICE.exe
1888	LOADING ADVICE.exe
1888	LOADING ADVICE.exe
1888	LOADING ADVICE.exe
1888	LOADING ADVICE.exe
1888	LOADING ADVICE.exe
1888	LOADING ADVICE.exe
1888	LOADING ADVICE.exe
1888	LOADING ADVICE.exe
1888	LOADING ADVICE.exe
2524	LOADING ADVICE.exe
2524	LOADING ADVICE.exe
2608	powershell.exe
1564	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

LOADING ADVICE.exeLOADING ADVICE.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1888	LOADING ADVICE.exe
Token: SeDebugPrivilege	2524	LOADING ADVICE.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

LOADING ADVICE.exe

description	pid	process	target process
PID 1888 wrote to memory of 1564	1888	LOADING ADVICE.exe	powershell.exe
PID 1888 wrote to memory of 1564	1888	LOADING ADVICE.exe	powershell.exe
PID 1888 wrote to memory of 1564	1888	LOADING ADVICE.exe	powershell.exe
PID 1888 wrote to memory of 1564	1888	LOADING ADVICE.exe	powershell.exe
PID 1888 wrote to memory of 2608	1888	LOADING ADVICE.exe	powershell.exe
PID 1888 wrote to memory of 2608	1888	LOADING ADVICE.exe	powershell.exe
PID 1888 wrote to memory of 2608	1888	LOADING ADVICE.exe	powershell.exe
PID 1888 wrote to memory of 2608	1888	LOADING ADVICE.exe	powershell.exe
PID 1888 wrote to memory of 2628	1888	LOADING ADVICE.exe	schtasks.exe
PID 1888 wrote to memory of 2628	1888	LOADING ADVICE.exe	schtasks.exe
PID 1888 wrote to memory of 2628	1888	LOADING ADVICE.exe	schtasks.exe
PID 1888 wrote to memory of 2628	1888	LOADING ADVICE.exe	schtasks.exe
PID 1888 wrote to memory of 2512	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2512	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2512	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2512	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2748	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2748	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2748	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2748	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2980	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2980	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2980	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2980	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2576	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2576	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2576	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2576	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2524	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2524	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2524	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2524	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2524	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2524	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2524	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2524	1888	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 1888 wrote to memory of 2524	1888	LOADING ADVICE.exe	LOADING ADVICE.exe

C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe
"C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tDWYgnAToHH.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tDWYgnAToHH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64BC.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe"
  2⤵
  PID:2512
- C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe"
  2⤵
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe"
  2⤵
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe"
  2⤵
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp64BC.tmp

Filesize
1KB

MD5
01d70ceec3988675dd9594db7135e2ce

SHA1
ef9ffb4c0f0b4609904acf3a4891228fa05ef00a

SHA256
1cfbceefc518e404fe08094301795e84221d612bcb2c9efefeabedebd82d3a78

SHA512
a2a71233d20ce989d50bcd2de73d11f61862b6bcf2fb461db211c1389c54585f10a5e1b72f161e95c91b7d3af426d516fc05ce0ddc270a2bce86ce7abbcf7ced

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6413765c18c4cf988a610945224e5d2b

SHA1
59347f8370ce54d68d0299c6bf5facfe3c1be50f

SHA256
5bb31fbbbbb1fd754465143d4787ce8327f2340317a800227337579b3caf742f

SHA512
c8882685ca83fc24744cedd32a8b12931a8bb8bfad1e860e206d434b5afe7104a02c0cf8a4ee713d5d3ed18ceb7a161c99f41f735c55236eebfe952b62c71f2a

Download Submit
memory/1564-35-0x000000006F810000-0x000000006FDBB000-memory.dmp

Filesize
5.7MB

Download
memory/1564-39-0x000000006F810000-0x000000006FDBB000-memory.dmp

Filesize
5.7MB

Download
memory/1564-36-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/1564-37-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/1564-33-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/1564-31-0x000000006F810000-0x000000006FDBB000-memory.dmp

Filesize
5.7MB

Download
memory/1888-3-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/1888-4-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1888-5-0x0000000005140000-0x00000000051C2000-memory.dmp

Filesize
520KB

Download
memory/1888-2-0x0000000000520000-0x0000000000560000-memory.dmp

Filesize
256KB

Download
memory/1888-1-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-29-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-0-0x0000000000030000-0x00000000000F0000-memory.dmp

Filesize
768KB

Download
memory/2524-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-41-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2524-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-38-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-34-0x000000006F810000-0x000000006FDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2608-32-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/2608-40-0x000000006F810000-0x000000006FDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2608-30-0x000000006F810000-0x000000006FDBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads