agenttesla | cdf2fecfefa949e315f8f0b887a11cd2d7c3a000af79ee637b25052eac663adc

General

Target

PO 20240105.exe
Size

740KB
MD5

81d099f1008d98346919c22f105e26e5
SHA1

de77e686d32adca574703621974811dc6c7d3b31
SHA256

1ddead5d6964c8e382d3b2ea694774ff58486bcfb7996015561cc9a03c61b536
SHA512

b174aa74461edcc8afee22134084d6de4001fdf5d7012fbcd904f119d3959d776b43fd91a25147c20d2dcfa0d18eeb0b554155d2c7380d55030e6dd2e28bf794
SSDEEP

12288:Wd1JsJ6SH1Sh2iNwCZDcTsTmmk82Zzl2VLlh5AMOYFC6Vljc4J+G30NuqDpfLpPd:Wd4w1GQQABk1Zzl4ph5vtCi0hBDpfLG

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.starmech.net
Port:
587
Username:
[email protected]
Password:
nics123
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2732 set thread context of 2516	2732	PO 20240105.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2732	PO 20240105.exe
2732	PO 20240105.exe
2732	PO 20240105.exe
2516	RegSvcs.exe
2516	RegSvcs.exe
2908	powershell.exe
2812	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	PO 20240105.exe
Token: SeDebugPrivilege	2516	RegSvcs.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2908	2732	PO 20240105.exe	27
PID 2732 wrote to memory of 2908	2732	PO 20240105.exe	27
PID 2732 wrote to memory of 2908	2732	PO 20240105.exe	27
PID 2732 wrote to memory of 2908	2732	PO 20240105.exe	27
PID 2732 wrote to memory of 2812	2732	PO 20240105.exe	29
PID 2732 wrote to memory of 2812	2732	PO 20240105.exe	29
PID 2732 wrote to memory of 2812	2732	PO 20240105.exe	29
PID 2732 wrote to memory of 2812	2732	PO 20240105.exe	29
PID 2732 wrote to memory of 2880	2732	PO 20240105.exe	31
PID 2732 wrote to memory of 2880	2732	PO 20240105.exe	31
PID 2732 wrote to memory of 2880	2732	PO 20240105.exe	31
PID 2732 wrote to memory of 2880	2732	PO 20240105.exe	31
PID 2732 wrote to memory of 2516	2732	PO 20240105.exe	33
PID 2732 wrote to memory of 2516	2732	PO 20240105.exe	33
PID 2732 wrote to memory of 2516	2732	PO 20240105.exe	33
PID 2732 wrote to memory of 2516	2732	PO 20240105.exe	33
PID 2732 wrote to memory of 2516	2732	PO 20240105.exe	33
PID 2732 wrote to memory of 2516	2732	PO 20240105.exe	33
PID 2732 wrote to memory of 2516	2732	PO 20240105.exe	33
PID 2732 wrote to memory of 2516	2732	PO 20240105.exe	33
PID 2732 wrote to memory of 2516	2732	PO 20240105.exe	33
PID 2732 wrote to memory of 2516	2732	PO 20240105.exe	33
PID 2732 wrote to memory of 2516	2732	PO 20240105.exe	33
PID 2732 wrote to memory of 2516	2732	PO 20240105.exe	33

C:\Users\Admin\AppData\Local\Temp\PO 20240105.exe
"C:\Users\Admin\AppData\Local\Temp\PO 20240105.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO 20240105.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TZgkPJEad.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TZgkPJEad" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB71F.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB71F.tmp

Filesize
1KB

MD5
7ac7d20611a325223dc41c19d5ba8632

SHA1
863f4ce883217f4f5aca8e30308091864b09cafa

SHA256
3230b69535ee32c157f32aef120d7d741c04507c7ab31164e8874888981a6985

SHA512
5e63e9705cce5c68970b9f699c91ea80f3ec4beadc535fbfb530c27ce3340165b92855da1f636f29b8b6f8ac4e165d269a734c1e69c1c80cc4ec656a32131ffa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OMSZJSQCWX4PXBZD2Y4Z.temp

Filesize
7KB

MD5
23217f17425fa798ba24b4e7150f44d7

SHA1
d2b452ca2c8a9976f2e6b68e77b5f0358b7850e2

SHA256
479d26e5e8fa56a9e5f56f39341bc9295c8f21276aa43c67977b028d8a0b8d56

SHA512
f8d0c37bc9b99a79a048267a41c5048bbce2a31123aa463dc074a0e34b12f8e06bd6f12fd99356ce33b83cffee4cbcc8cf018f8f81d96e57d248e3868ef568d5

Download Submit
memory/2516-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-39-0x0000000072E50000-0x000000007353E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-35-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2516-43-0x0000000004820000-0x0000000004860000-memory.dmp

Filesize
256KB

Download
memory/2516-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-42-0x0000000072E50000-0x000000007353E000-memory.dmp

Filesize
6.9MB

Download
memory/2732-34-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2732-3-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2732-0-0x0000000000F80000-0x000000000103C000-memory.dmp

Filesize
752KB

Download
memory/2732-1-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2732-2-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/2732-5-0x0000000004EC0000-0x0000000004F42000-memory.dmp

Filesize
520KB

Download
memory/2732-4-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/2812-21-0x000000006F860000-0x000000006FE0B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-18-0x000000006F860000-0x000000006FE0B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-41-0x000000006F860000-0x000000006FE0B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-38-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2908-19-0x000000006F860000-0x000000006FE0B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-40-0x000000006F860000-0x000000006FE0B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-20-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads