agenttesla | d439a41979e838880aebc825bf57bdd054a84bfa35e96e18e8c7d06f4e29af2c

General

Target

stub.scr
Size

690KB
MD5

561050d43eac48e58622adc5c368100e
SHA1

fc21fd8f7cebf86c022b5f0be9af61fb01a1a325
SHA256

9416dbd5438c240f30cc856cea7f7f57258ea37716a207b823b469948f8cea9c
SHA512

6ac14995b18a5a93a291b1148190b72ac06910f570e4eb46d6c3a73a27aa63b2c54b248efefe5e96b259c9818bd15516ba9cf9f21c580c665f66ede071c552f4
SSDEEP

12288:8/PnW0YOwqOpvSWofpy5wlnIaQQ2tDFtDtJzSwnAoXAIOUTNO:mmO7MSWapyDq2tptpJzSZowIOYO

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.horizongroup.com.bd
Port:
587
Username:
[email protected]
Password:
horizon@%%%5
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

stub.scr

description pid process target process

PID 2092 set thread context of 2396 2092 stub.scr RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2596 schtasks.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 2092 set thread context of 2396	2092	stub.scr	RegSvcs.exe

pid	process
2596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

stub.scrRegSvcs.exepowershell.exe

pid	process
2092	stub.scr
2092	stub.scr
2092	stub.scr
2092	stub.scr
2092	stub.scr
2092	stub.scr
2092	stub.scr
2092	stub.scr
2396	RegSvcs.exe
2396	RegSvcs.exe
2780	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

stub.scrRegSvcs.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2092 stub.scr
Token: SeDebugPrivilege 2396 RegSvcs.exe
Token: SeDebugPrivilege 2780 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

2396 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2092	stub.scr
Token: SeDebugPrivilege	2396	RegSvcs.exe
Token: SeDebugPrivilege	2780	powershell.exe

pid	process
2396	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

stub.scr

description	pid	process	target process
PID 2092 wrote to memory of 2780	2092	stub.scr	powershell.exe
PID 2092 wrote to memory of 2780	2092	stub.scr	powershell.exe
PID 2092 wrote to memory of 2780	2092	stub.scr	powershell.exe
PID 2092 wrote to memory of 2780	2092	stub.scr	powershell.exe
PID 2092 wrote to memory of 2596	2092	stub.scr	schtasks.exe
PID 2092 wrote to memory of 2596	2092	stub.scr	schtasks.exe
PID 2092 wrote to memory of 2596	2092	stub.scr	schtasks.exe
PID 2092 wrote to memory of 2596	2092	stub.scr	schtasks.exe
PID 2092 wrote to memory of 2396	2092	stub.scr	RegSvcs.exe
PID 2092 wrote to memory of 2396	2092	stub.scr	RegSvcs.exe
PID 2092 wrote to memory of 2396	2092	stub.scr	RegSvcs.exe
PID 2092 wrote to memory of 2396	2092	stub.scr	RegSvcs.exe
PID 2092 wrote to memory of 2396	2092	stub.scr	RegSvcs.exe
PID 2092 wrote to memory of 2396	2092	stub.scr	RegSvcs.exe
PID 2092 wrote to memory of 2396	2092	stub.scr	RegSvcs.exe
PID 2092 wrote to memory of 2396	2092	stub.scr	RegSvcs.exe
PID 2092 wrote to memory of 2396	2092	stub.scr	RegSvcs.exe
PID 2092 wrote to memory of 2396	2092	stub.scr	RegSvcs.exe
PID 2092 wrote to memory of 2396	2092	stub.scr	RegSvcs.exe
PID 2092 wrote to memory of 2396	2092	stub.scr	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\stub.scr
"C:\Users\Admin\AppData\Local\Temp\stub.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qLYUnZRDFrCCL.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qLYUnZRDFrCCL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD23D.tmp"
2⤵
- Creates scheduled task(s)
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD23D.tmp
Filesize
1KB

MD5
348ece5b262216be09aa0e51afe82e7c

SHA1
e266cb83c02240f1a2da137bb944497ed51f4b6c

SHA256
59dcc0cf03e8d235ed50f101faa344e78417ad41f4b0ef820423a75b3fd3b2aa

SHA512
a9d37a193a1eeeec7faa88b8e7f086b15b568caea99976d3fae883a05aa9f613c4b8e92940cc9ed712e280a460cd95b4468aeb5adc68d6d40a71e0d4e2bee245

Download Submit
memory/2092-0-0x00000000011E0000-0x0000000001292000-memory.dmp

Filesize
712KB

Download
memory/2092-1-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/2092-2-0x0000000000990000-0x00000000009D0000-memory.dmp

Filesize
256KB

Download
memory/2092-3-0x0000000000A20000-0x0000000000A3A000-memory.dmp

Filesize
104KB

Download
memory/2092-4-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/2092-5-0x00000000052F0000-0x0000000005372000-memory.dmp

Filesize
520KB

Download
memory/2092-6-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/2092-7-0x0000000000990000-0x00000000009D0000-memory.dmp

Filesize
256KB

Download
memory/2092-25-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/2396-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2396-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-27-0x0000000073100000-0x00000000737EE000-memory.dmp

Filesize
6.9MB

Download
memory/2396-28-0x0000000004A10000-0x0000000004A50000-memory.dmp

Filesize
256KB

Download
memory/2396-33-0x0000000073100000-0x00000000737EE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-30-0x000000006E9F0000-0x000000006EF9B000-memory.dmp

Filesize
5.7MB

Download
memory/2780-31-0x0000000002300000-0x0000000002340000-memory.dmp

Filesize
256KB

Download
memory/2780-32-0x000000006E9F0000-0x000000006EF9B000-memory.dmp

Filesize
5.7MB

Download
memory/2780-29-0x000000006E9F0000-0x000000006EF9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads