agenttesla | 31aeeb6ce979eed704ead00a328df97e2d26690a02e5a29a1d2070dff1ab27b6

General

Target

LOADING ADVICE.exe
Size

744KB
MD5

7723ce30a13cd21918ec8a9ba6756f0f
SHA1

940e9d687cf6d972a365346802c0f8a9be5c1b21
SHA256

31aeeb6ce979eed704ead00a328df97e2d26690a02e5a29a1d2070dff1ab27b6
SHA512

e20c694048c1e552077bee886552a67da76ff4ef4ac26060a7fb5db78684602f47bcfdd2848ecbb029886a9b8dae18940137cfdddb64a88d9fa94eb433de7300
SSDEEP

12288:U1mwygw0BxF25eAMkeB+s/uUZ6VfQh/MjOcSKYGMAGZLYRtDmId0ajL6USkY:UBjZxgKTgs/uzfVj5Y0GRYOId0ajmuY

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.shivomrealty.com
Port:
587
Username:
[email protected]
Password:
Priya1982#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

LOADING ADVICE.exe

description pid process target process

PID 3028 set thread context of 1580 3028 LOADING ADVICE.exe LOADING ADVICE.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2532 schtasks.exe

description	pid	process	target process
PID 3028 set thread context of 1580	3028	LOADING ADVICE.exe	LOADING ADVICE.exe

pid	process
2532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

LOADING ADVICE.exeLOADING ADVICE.exepowershell.exepowershell.exe

pid	process
3028	LOADING ADVICE.exe
3028	LOADING ADVICE.exe
3028	LOADING ADVICE.exe
3028	LOADING ADVICE.exe
1580	LOADING ADVICE.exe
1580	LOADING ADVICE.exe
2620	powershell.exe
2544	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

LOADING ADVICE.exeLOADING ADVICE.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3028	LOADING ADVICE.exe
Token: SeDebugPrivilege	1580	LOADING ADVICE.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

LOADING ADVICE.exe

description	pid	process	target process
PID 3028 wrote to memory of 2620	3028	LOADING ADVICE.exe	powershell.exe
PID 3028 wrote to memory of 2620	3028	LOADING ADVICE.exe	powershell.exe
PID 3028 wrote to memory of 2620	3028	LOADING ADVICE.exe	powershell.exe
PID 3028 wrote to memory of 2620	3028	LOADING ADVICE.exe	powershell.exe
PID 3028 wrote to memory of 2544	3028	LOADING ADVICE.exe	powershell.exe
PID 3028 wrote to memory of 2544	3028	LOADING ADVICE.exe	powershell.exe
PID 3028 wrote to memory of 2544	3028	LOADING ADVICE.exe	powershell.exe
PID 3028 wrote to memory of 2544	3028	LOADING ADVICE.exe	powershell.exe
PID 3028 wrote to memory of 2532	3028	LOADING ADVICE.exe	schtasks.exe
PID 3028 wrote to memory of 2532	3028	LOADING ADVICE.exe	schtasks.exe
PID 3028 wrote to memory of 2532	3028	LOADING ADVICE.exe	schtasks.exe
PID 3028 wrote to memory of 2532	3028	LOADING ADVICE.exe	schtasks.exe
PID 3028 wrote to memory of 1580	3028	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 3028 wrote to memory of 1580	3028	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 3028 wrote to memory of 1580	3028	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 3028 wrote to memory of 1580	3028	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 3028 wrote to memory of 1580	3028	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 3028 wrote to memory of 1580	3028	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 3028 wrote to memory of 1580	3028	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 3028 wrote to memory of 1580	3028	LOADING ADVICE.exe	LOADING ADVICE.exe
PID 3028 wrote to memory of 1580	3028	LOADING ADVICE.exe	LOADING ADVICE.exe

C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe
"C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tDWYgnAToHH.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tDWYgnAToHH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E73.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADING ADVICE.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7E73.tmp

Filesize
1KB

MD5
9b070d1c9574fb31ac1a65560dba5135

SHA1
546e75e83e800ec0f3ef37fbc5eaee2211d39bd9

SHA256
d9104ffe964633e5e88198ca70b22373018bb9e66b996dbb33a65078c2e94f44

SHA512
bb84073d9f03681ae798b7728a6763d4ac8d3de0ebb3970370d0b323a1f37722563b5b7f5dc6af7ea9ae43a2ac7cb7fff3aa0513effeccddc6c5db0027f26467

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1272ER4UC0541N15NDOK.temp

Filesize
7KB

MD5
5cb2f6888472de953992beb91a714668

SHA1
25b738e755efff5dea8c08c6131ae556e018d128

SHA256
59983b09897742bf7eae0760d56d64cd091dcbbcb376cb1f14ff1a3b82f05262

SHA512
0b4838543ea9ce9c865ade7573bb209f953d15afe87e7aa242e0425306e36f863bae2138bb8e6ed2774c614a2e5f07ce96fbf5877fb26cf869db76997226170a

Download Submit
memory/1580-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1580-44-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/1580-43-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/1580-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-38-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/1580-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-40-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/1580-34-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-39-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/2544-41-0x000000006EE00000-0x000000006F3AB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-31-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/2544-29-0x000000006EE00000-0x000000006F3AB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-24-0x000000006EE00000-0x000000006F3AB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-35-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/2620-33-0x0000000001DF0000-0x0000000001E30000-memory.dmp

Filesize
256KB

Download
memory/2620-37-0x0000000001DF0000-0x0000000001E30000-memory.dmp

Filesize
256KB

Download
memory/2620-27-0x000000006EE00000-0x000000006F3AB000-memory.dmp

Filesize
5.7MB

Download
memory/2620-42-0x000000006EE00000-0x000000006F3AB000-memory.dmp

Filesize
5.7MB

Download
memory/3028-0-0x0000000000E00000-0x0000000000EC0000-memory.dmp

Filesize
768KB

Download
memory/3028-36-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-3-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/3028-1-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-2-0x0000000000680000-0x00000000006C0000-memory.dmp

Filesize
256KB

Download
memory/3028-5-0x00000000053E0000-0x0000000005462000-memory.dmp

Filesize
520KB

Download
memory/3028-4-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads