agenttesla | 825a37255a61598eaa9eb15897dbc89f7e3637193c4e17775fbbc145ca523528

General

Target

quotation#247833.pdf.exe
Size

612KB
MD5

52bbe58331758dd37f776189080a5ead
SHA1

2542cfdfee6da01c4657c13b3327ebf6f91d42da
SHA256

825a37255a61598eaa9eb15897dbc89f7e3637193c4e17775fbbc145ca523528
SHA512

a99a78ccc4ccc8fd2797d4f2f2c766c9043dd1dbbc7a588680d0472c43c44a78e31212c38f1753196cf0609e65b079b12656a59a934ae36ed4ff3e4f9312e5b8
SSDEEP

12288:S5+SDlnIqMoroxB4559YxaxO2b0NJk+mYRSn9//kcCR8gyn8M4Rxg:CzM7xy559YxaxT0NJkiRU+cCR8VD4fg

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
email.globeauto.in
Port:
587
Username:
ch02a_warranty@globeauto.in
Password:
Mohali@@1#
Email To:
omdbox@protonmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2464 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2648 cmd.exe

pid	process
2464	svchost.exe

pid	process
2648	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

quotation#247833.pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	quotation#247833.pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2464 set thread context of 2492 2464 svchost.exe jsc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2920 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2676 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

quotation#247833.pdf.exejsc.exe

pid process

2984 quotation#247833.pdf.exe
2984 quotation#247833.pdf.exe
2984 quotation#247833.pdf.exe
2492 jsc.exe
2492 jsc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

quotation#247833.pdf.exesvchost.exejsc.exe

description pid process

Token: SeDebugPrivilege 2984 quotation#247833.pdf.exe
Token: SeDebugPrivilege 2464 svchost.exe
Token: SeDebugPrivilege 2492 jsc.exe

description	pid	process	target process
PID 2464 set thread context of 2492	2464	svchost.exe	jsc.exe

pid	process
2920	schtasks.exe

pid	process
2676	timeout.exe

pid	process
2984	quotation#247833.pdf.exe
2984	quotation#247833.pdf.exe
2984	quotation#247833.pdf.exe
2492	jsc.exe
2492	jsc.exe

description	pid	process
Token: SeDebugPrivilege	2984	quotation#247833.pdf.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	2492	jsc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

quotation#247833.pdf.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 2984 wrote to memory of 1168	2984	quotation#247833.pdf.exe	cmd.exe
PID 2984 wrote to memory of 1168	2984	quotation#247833.pdf.exe	cmd.exe
PID 2984 wrote to memory of 1168	2984	quotation#247833.pdf.exe	cmd.exe
PID 2984 wrote to memory of 2648	2984	quotation#247833.pdf.exe	cmd.exe
PID 2984 wrote to memory of 2648	2984	quotation#247833.pdf.exe	cmd.exe
PID 2984 wrote to memory of 2648	2984	quotation#247833.pdf.exe	cmd.exe
PID 2648 wrote to memory of 2676	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 2676	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 2676	2648	cmd.exe	timeout.exe
PID 1168 wrote to memory of 2920	1168	cmd.exe	schtasks.exe
PID 1168 wrote to memory of 2920	1168	cmd.exe	schtasks.exe
PID 1168 wrote to memory of 2920	1168	cmd.exe	schtasks.exe
PID 2648 wrote to memory of 2464	2648	cmd.exe	svchost.exe
PID 2648 wrote to memory of 2464	2648	cmd.exe	svchost.exe
PID 2648 wrote to memory of 2464	2648	cmd.exe	svchost.exe
PID 2464 wrote to memory of 2612	2464	svchost.exe	msbuild.exe
PID 2464 wrote to memory of 2612	2464	svchost.exe	msbuild.exe
PID 2464 wrote to memory of 2612	2464	svchost.exe	msbuild.exe
PID 2464 wrote to memory of 2612	2464	svchost.exe	msbuild.exe
PID 2464 wrote to memory of 2612	2464	svchost.exe	msbuild.exe
PID 2464 wrote to memory of 2612	2464	svchost.exe	msbuild.exe
PID 2464 wrote to memory of 2612	2464	svchost.exe	msbuild.exe
PID 2464 wrote to memory of 2612	2464	svchost.exe	msbuild.exe
PID 2464 wrote to memory of 2492	2464	svchost.exe	jsc.exe
PID 2464 wrote to memory of 2492	2464	svchost.exe	jsc.exe
PID 2464 wrote to memory of 2492	2464	svchost.exe	jsc.exe
PID 2464 wrote to memory of 2492	2464	svchost.exe	jsc.exe
PID 2464 wrote to memory of 2492	2464	svchost.exe	jsc.exe
PID 2464 wrote to memory of 2492	2464	svchost.exe	jsc.exe
PID 2464 wrote to memory of 2492	2464	svchost.exe	jsc.exe
PID 2464 wrote to memory of 2492	2464	svchost.exe	jsc.exe
PID 2464 wrote to memory of 2492	2464	svchost.exe	jsc.exe
PID 2464 wrote to memory of 2476	2464	svchost.exe	jsc.exe
PID 2464 wrote to memory of 2476	2464	svchost.exe	jsc.exe
PID 2464 wrote to memory of 2476	2464	svchost.exe	jsc.exe
PID 2464 wrote to memory of 2476	2464	svchost.exe	jsc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\quotation#247833.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\quotation#247833.pdf.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp533E.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2676

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
4⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
PID:2476

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp533E.tmp.bat
Filesize
151B

MD5
73b91d7cfae897287dd267ed8031804f

SHA1
431a2be8e29ca015d21bfb3117e779dc9192dce4

SHA256
4f864048266051d286ac061d312ded0f4fceb500efebb84dea41e9c8dafc774e

SHA512
fe99e437c2948f3a6875fe5284108ef2b98b6a8065c9a2795e84dcc4162bc4e0f9e491706683f0123b56ede370bbc5ca591ef2c378e25c147937eb0d4b37e8f7

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
612KB

MD5
52bbe58331758dd37f776189080a5ead

SHA1
2542cfdfee6da01c4657c13b3327ebf6f91d42da

SHA256
825a37255a61598eaa9eb15897dbc89f7e3637193c4e17775fbbc145ca523528

SHA512
a99a78ccc4ccc8fd2797d4f2f2c766c9043dd1dbbc7a588680d0472c43c44a78e31212c38f1753196cf0609e65b079b12656a59a934ae36ed4ff3e4f9312e5b8

Download Submit
memory/2464-20-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/2464-18-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2464-19-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2464-36-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2492-40-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-41-0x00000000049E0000-0x0000000004A20000-memory.dmp

Filesize
256KB

Download
memory/2492-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2492-42-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2492-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2492-34-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-0-0x0000000001150000-0x000000000115C000-memory.dmp

Filesize
48KB

Download
memory/2984-13-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2984-3-0x000000001B2F0000-0x000000001B386000-memory.dmp

Filesize
600KB

Download
memory/2984-2-0x000000001B3C0000-0x000000001B440000-memory.dmp

Filesize
512KB

Download
memory/2984-1-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads