agenttesla | cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08

General

Target

cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe
Size

689KB
MD5

2f4cba8ab7e60939af72d2ba6c35e144
SHA1

6f2de99caafe01e9e74f25cc932c2e72a15da575
SHA256

cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08
SHA512

8c3c1dfac4f0d843e6636a745b4d0eaeb5dc5be21dd56da4c0b7af92ac207727d8e0f8dc0bbfd3acba6591a336ddf09e243452684eb1e03cd7d65fcf619ce754
SSDEEP

12288:q/VN0YOwqOp9TbVLiFl/KRQNTEj9rgWON9r1mLz8ar0s6PTQVBu:aO7MRL+xoQNn9BMgs6rY

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
phoenixblowers.com
Port:
587
Username:
[email protected]
Password:
Officeback@2022#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe

description	pid	process	target process
PID 2284 set thread context of 524	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2488 schtasks.exe

pid	process
2488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe
2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe
2436	powershell.exe
2660	powershell.exe
524	RegSvcs.exe
524	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	524	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe

description	pid	process	target process
PID 2284 wrote to memory of 2660	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	powershell.exe
PID 2284 wrote to memory of 2660	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	powershell.exe
PID 2284 wrote to memory of 2660	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	powershell.exe
PID 2284 wrote to memory of 2660	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	powershell.exe
PID 2284 wrote to memory of 2436	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	powershell.exe
PID 2284 wrote to memory of 2436	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	powershell.exe
PID 2284 wrote to memory of 2436	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	powershell.exe
PID 2284 wrote to memory of 2436	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	powershell.exe
PID 2284 wrote to memory of 2488	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	schtasks.exe
PID 2284 wrote to memory of 2488	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	schtasks.exe
PID 2284 wrote to memory of 2488	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	schtasks.exe
PID 2284 wrote to memory of 2488	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	schtasks.exe
PID 2284 wrote to memory of 524	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	RegSvcs.exe
PID 2284 wrote to memory of 524	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	RegSvcs.exe
PID 2284 wrote to memory of 524	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	RegSvcs.exe
PID 2284 wrote to memory of 524	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	RegSvcs.exe
PID 2284 wrote to memory of 524	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	RegSvcs.exe
PID 2284 wrote to memory of 524	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	RegSvcs.exe
PID 2284 wrote to memory of 524	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	RegSvcs.exe
PID 2284 wrote to memory of 524	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	RegSvcs.exe
PID 2284 wrote to memory of 524	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	RegSvcs.exe
PID 2284 wrote to memory of 524	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	RegSvcs.exe
PID 2284 wrote to memory of 524	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	RegSvcs.exe
PID 2284 wrote to memory of 524	2284	cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe
"C:\Users\Admin\AppData\Local\Temp\cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\cc1402d5aa805ba0388e53cf51d075ce8eda9661afba3832d4356f5b16a7ba08.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bTUPaRVjF.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bTUPaRVjF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE12B.tmp"
2⤵
- Creates scheduled task(s)
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE12B.tmp
Filesize
1KB

MD5
d79729dff031a1bfdda1873259bac79e

SHA1
f989ebc76ba65fac4885aacded38039c1420f4b3

SHA256
87aa3381c449c17c3b011387dae2fb280096d198372ceebb484bcb1e8681bad7

SHA512
1c84fc031326682839a1b2e9a8ab98642b9e9b5c094add0c016d953f6b3d4a47b9fb934c3011dc66bdbb697c67113f9b569b09c2ca4ff059dc03109b67d8d0c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
98d11ef4442ebfd8a0d5021c62158e45

SHA1
e05dce836c846788bfcdd140b198a2639ef602f2

SHA256
86ddf019305e9432a3b9206e881e9ba053f3870d307e31d3224f06b61c34fb35

SHA512
0f6e5182a83404d731e100f0e613497e9feaa9d08c16f182d5e84d9ae63e4696750e4f36b7b166ef037eb1fcba40190296f6dd083406e6c2b17447f0b8f36bc6

Download Submit
memory/524-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-41-0x00000000724A0000-0x0000000072B8E000-memory.dmp

Filesize
6.9MB

Download
memory/524-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-46-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/524-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/524-45-0x00000000724A0000-0x0000000072B8E000-memory.dmp

Filesize
6.9MB

Download
memory/524-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-42-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/2284-3-0x0000000000430000-0x000000000044A000-memory.dmp

Filesize
104KB

Download
memory/2284-0-0x0000000000040000-0x00000000000F2000-memory.dmp

Filesize
712KB

Download
memory/2284-1-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/2284-4-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2284-2-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/2284-5-0x0000000004F20000-0x0000000004FA2000-memory.dmp

Filesize
520KB

Download
memory/2284-35-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/2436-22-0x000000006EB70000-0x000000006F11B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-32-0x0000000002920000-0x0000000002960000-memory.dmp

Filesize
256KB

Download
memory/2436-37-0x0000000002920000-0x0000000002960000-memory.dmp

Filesize
256KB

Download
memory/2436-28-0x0000000002920000-0x0000000002960000-memory.dmp

Filesize
256KB

Download
memory/2436-43-0x000000006EB70000-0x000000006F11B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-39-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/2660-33-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/2660-26-0x000000006EB70000-0x000000006F11B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-44-0x000000006EB70000-0x000000006F11B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-24-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/2660-20-0x000000006EB70000-0x000000006F11B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads