agenttesla | 17f1c3567b5334eca6e41e7a341faa999fdb22f64004a185874e23dd4a43d06d

General

Target

KhT.scr.exe
Size

687KB
MD5

62ed0ee9372f04bd637e3995624dbc0c
SHA1

96e4d381325b9c0a0581993529baf0cb38050faf
SHA256

17f1c3567b5334eca6e41e7a341faa999fdb22f64004a185874e23dd4a43d06d
SHA512

7e3c79a487e8d472947aab1050db828ae7fe65ae1af049c00dfe7cd1b4668313665dd6380a32b7465a16da292e8270e53c35586ea39dcef3ec50ddc8a1bd2e1a
SSDEEP

12288:4/K0YOwqOpWXqqfNg3Hsgtwmq+MzaMl7+fpfKIIP9HJYxbd:DO7rXHNg3HsgtwD+MzplCfxKzHJI

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.sigmamotorspk.com
Port:
587
Username:
khiro@sigmamotorspk.com
Password:
zarbeazab1234
Email To:
maungth@b-mech.com.sg

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

KhT.scr.exe

description pid process target process

PID 1220 set thread context of 1844 1220 KhT.scr.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2660 schtasks.exe

description	pid	process	target process
PID 1220 set thread context of 1844	1220	KhT.scr.exe	RegSvcs.exe

pid	process
2660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

KhT.scr.exeRegSvcs.exepowershell.exe

pid	process
1220	KhT.scr.exe
1220	KhT.scr.exe
1220	KhT.scr.exe
1220	KhT.scr.exe
1220	KhT.scr.exe
1220	KhT.scr.exe
1220	KhT.scr.exe
1220	KhT.scr.exe
1220	KhT.scr.exe
1220	KhT.scr.exe
1220	KhT.scr.exe
1220	KhT.scr.exe
1220	KhT.scr.exe
1220	KhT.scr.exe
1220	KhT.scr.exe
1220	KhT.scr.exe
1844	RegSvcs.exe
1844	RegSvcs.exe
2512	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

KhT.scr.exeRegSvcs.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1220 KhT.scr.exe
Token: SeDebugPrivilege 1844 RegSvcs.exe
Token: SeDebugPrivilege 2512 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1220	KhT.scr.exe
Token: SeDebugPrivilege	1844	RegSvcs.exe
Token: SeDebugPrivilege	2512	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

KhT.scr.exe

description	pid	process	target process
PID 1220 wrote to memory of 2512	1220	KhT.scr.exe	powershell.exe
PID 1220 wrote to memory of 2512	1220	KhT.scr.exe	powershell.exe
PID 1220 wrote to memory of 2512	1220	KhT.scr.exe	powershell.exe
PID 1220 wrote to memory of 2512	1220	KhT.scr.exe	powershell.exe
PID 1220 wrote to memory of 2660	1220	KhT.scr.exe	schtasks.exe
PID 1220 wrote to memory of 2660	1220	KhT.scr.exe	schtasks.exe
PID 1220 wrote to memory of 2660	1220	KhT.scr.exe	schtasks.exe
PID 1220 wrote to memory of 2660	1220	KhT.scr.exe	schtasks.exe
PID 1220 wrote to memory of 2448	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 2448	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 2448	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 2448	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 2448	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 2448	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 2448	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 1844	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 1844	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 1844	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 1844	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 1844	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 1844	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 1844	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 1844	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 1844	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 1844	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 1844	1220	KhT.scr.exe	RegSvcs.exe
PID 1220 wrote to memory of 1844	1220	KhT.scr.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\KhT.scr.exe
"C:\Users\Admin\AppData\Local\Temp\KhT.scr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zTmBkRpHGbA.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zTmBkRpHGbA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA67C.tmp"
2⤵
- Creates scheduled task(s)
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA67C.tmp
Filesize
1KB

MD5
c80aa23d1ca3e1b8b06de94500a0754d

SHA1
89504faece1cd3e3377ba54a4ab7a8f5e175cbd2

SHA256
ba066af780a572d9b250dc20e63547415c921491bb2b5b086905fefe4c6d5ab4

SHA512
fd069f66fea84bd3945827a7cddbffd5aec6a16aa6e2504e49f9e9cf1a999818f1ff6bfea779963f519c78f748f27e0e4670d15cd97c70f524207fab1c234ef3

Download Submit
memory/1220-0-0x0000000000E80000-0x0000000000F32000-memory.dmp

Filesize
712KB

Download
memory/1220-1-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/1220-2-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download
memory/1220-3-0x0000000000440000-0x000000000045A000-memory.dmp

Filesize
104KB

Download
memory/1220-4-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/1220-5-0x0000000005120000-0x00000000051A2000-memory.dmp

Filesize
520KB

Download
memory/1220-6-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/1220-25-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/1844-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-29-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/1844-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1844-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-33-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/1844-32-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/1844-28-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/1844-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2512-30-0x0000000002700000-0x0000000002740000-memory.dmp

Filesize
256KB

Download
memory/2512-31-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-27-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-26-0x000000006EFA0000-0x000000006F54B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads