agenttesla | 31aeeb6ce979eed704ead00a328df97e2d26690a02e5a29a1d2070dff1ab27b6

General

Target

AWB.exe
Size

744KB
MD5

7723ce30a13cd21918ec8a9ba6756f0f
SHA1

940e9d687cf6d972a365346802c0f8a9be5c1b21
SHA256

31aeeb6ce979eed704ead00a328df97e2d26690a02e5a29a1d2070dff1ab27b6
SHA512

e20c694048c1e552077bee886552a67da76ff4ef4ac26060a7fb5db78684602f47bcfdd2848ecbb029886a9b8dae18940137cfdddb64a88d9fa94eb433de7300
SSDEEP

12288:U1mwygw0BxF25eAMkeB+s/uUZ6VfQh/MjOcSKYGMAGZLYRtDmId0ajL6USkY:UBjZxgKTgs/uzfVj5Y0GRYOId0ajmuY

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.shivomrealty.com
Port:
587
Username:
[email protected]
Password:
Priya1982#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

AWB.exe

description pid process target process

PID 1612 set thread context of 2468 1612 AWB.exe AWB.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2664 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

AWB.exepowershell.exepowershell.exeAWB.exe

pid process

1612 AWB.exe
1612 AWB.exe
1612 AWB.exe
1612 AWB.exe
1612 AWB.exe
2568 powershell.exe
2636 powershell.exe
2468 AWB.exe
2468 AWB.exe

description	pid	process	target process
PID 1612 set thread context of 2468	1612	AWB.exe	AWB.exe

pid	process
2664	schtasks.exe

pid	process
1612	AWB.exe
1612	AWB.exe
1612	AWB.exe
1612	AWB.exe
1612	AWB.exe
2568	powershell.exe
2636	powershell.exe
2468	AWB.exe
2468	AWB.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AWB.exepowershell.exepowershell.exeAWB.exe

description	pid	process
Token: SeDebugPrivilege	1612	AWB.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2468	AWB.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

AWB.exe

description	pid	process	target process
PID 1612 wrote to memory of 2636	1612	AWB.exe	powershell.exe
PID 1612 wrote to memory of 2636	1612	AWB.exe	powershell.exe
PID 1612 wrote to memory of 2636	1612	AWB.exe	powershell.exe
PID 1612 wrote to memory of 2636	1612	AWB.exe	powershell.exe
PID 1612 wrote to memory of 2568	1612	AWB.exe	powershell.exe
PID 1612 wrote to memory of 2568	1612	AWB.exe	powershell.exe
PID 1612 wrote to memory of 2568	1612	AWB.exe	powershell.exe
PID 1612 wrote to memory of 2568	1612	AWB.exe	powershell.exe
PID 1612 wrote to memory of 2664	1612	AWB.exe	schtasks.exe
PID 1612 wrote to memory of 2664	1612	AWB.exe	schtasks.exe
PID 1612 wrote to memory of 2664	1612	AWB.exe	schtasks.exe
PID 1612 wrote to memory of 2664	1612	AWB.exe	schtasks.exe
PID 1612 wrote to memory of 2176	1612	AWB.exe	AWB.exe
PID 1612 wrote to memory of 2176	1612	AWB.exe	AWB.exe
PID 1612 wrote to memory of 2176	1612	AWB.exe	AWB.exe
PID 1612 wrote to memory of 2176	1612	AWB.exe	AWB.exe
PID 1612 wrote to memory of 2468	1612	AWB.exe	AWB.exe
PID 1612 wrote to memory of 2468	1612	AWB.exe	AWB.exe
PID 1612 wrote to memory of 2468	1612	AWB.exe	AWB.exe
PID 1612 wrote to memory of 2468	1612	AWB.exe	AWB.exe
PID 1612 wrote to memory of 2468	1612	AWB.exe	AWB.exe
PID 1612 wrote to memory of 2468	1612	AWB.exe	AWB.exe
PID 1612 wrote to memory of 2468	1612	AWB.exe	AWB.exe
PID 1612 wrote to memory of 2468	1612	AWB.exe	AWB.exe
PID 1612 wrote to memory of 2468	1612	AWB.exe	AWB.exe

C:\Users\Admin\AppData\Local\Temp\AWB.exe
"C:\Users\Admin\AppData\Local\Temp\AWB.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\AWB.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tDWYgnAToHH.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tDWYgnAToHH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC62C.tmp"
2⤵
- Creates scheduled task(s)
PID:2664

C:\Users\Admin\AppData\Local\Temp\AWB.exe
"C:\Users\Admin\AppData\Local\Temp\AWB.exe"
2⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\AWB.exe
"C:\Users\Admin\AppData\Local\Temp\AWB.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

4

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC62C.tmp
Filesize
1KB

MD5
9bda452d4fe5472a3f3b7ff48598a97c

SHA1
38bed0898b99b5095289dd2d673fb4a34568e95f

SHA256
f7e6828ef71b2fe622cb3258b2efb2d8c497de344469d9b09ab26c7f72aff0e8

SHA512
f75206d59013c98f307ac457218282816cb0e60ea833b8a7d592b545c4f6f82c118543b2c08d3852e93ffb4f3bb97a5c81d86593a3ca0ad709d46c6b5dab2974

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c34a8dceaaa5019879c1ab310fa0524d

SHA1
b51138fe3e5e6070310f1b28a7d662b50c06084a

SHA256
d89b1a5ba213d676554a21692a93f704036c003debf93c129480d51974dd1895

SHA512
667d2e9191dc96e9da1d35d87b79aa06370aa210ee1579316e1ef5aba8606134cabd9c3d3af940ccdb038ab50bf7b5c0454112783510fc164e11f2f51b04f88f

Download Submit
memory/1612-1-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/1612-0-0x0000000000D20000-0x0000000000DE0000-memory.dmp

Filesize
768KB

Download
memory/1612-2-0x0000000004FB0000-0x0000000004FF0000-memory.dmp

Filesize
256KB

Download
memory/1612-3-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1612-4-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/1612-5-0x00000000054A0000-0x0000000005522000-memory.dmp

Filesize
520KB

Download
memory/1612-30-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-36-0x00000000043C0000-0x0000000004400000-memory.dmp

Filesize
256KB

Download
memory/2468-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2468-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-45-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-44-0x00000000043C0000-0x0000000004400000-memory.dmp

Filesize
256KB

Download
memory/2468-41-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-38-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2568-37-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2568-35-0x000000006E120000-0x000000006E6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2568-42-0x000000006E120000-0x000000006E6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2568-33-0x000000006E120000-0x000000006E6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-40-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/2636-39-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/2636-34-0x000000006E120000-0x000000006E6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-43-0x000000006E120000-0x000000006E6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-32-0x000000006E120000-0x000000006E6CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads