agenttesla | 4d45761cedab312c04a4786ca195da76c1906f1fcd23e1cf82d1554767c319f3

General

Target

PURCHASE ORDER.exe
Size

670KB
MD5

82ed2d50defbaa3056e1216f7a04fd29
SHA1

b0c53c84b62236adb6dbe7adad055e13c6ff58cd
SHA256

5367bdd7476c6a1d2ac38b0d8efcbaba0c74176f86cc0f76e925407e62605071
SHA512

550d35d6c2dae4cf1d818a5d6d77d9359cdf4420d1dcd831cd39c179bacaf441800afe11d0961f8affe718f349d0aed92816c4b8d0c15a95231a7dad453e9356
SSDEEP

12288:sme0YOwq0IDzlpnjRSsrj65vGdaM6Ge/zqdrAamH8Wss:+O70I3lbBaZo6a3Wb

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.shivomrealty.com
Port:
587
Username:
[email protected]
Password:
Priya1982#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

PURCHASE ORDER.exe

description pid process target process

PID 2044 set thread context of 592 2044 PURCHASE ORDER.exe PURCHASE ORDER.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2168 schtasks.exe

description	pid	process	target process
PID 2044 set thread context of 592	2044	PURCHASE ORDER.exe	PURCHASE ORDER.exe

pid	process
2168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

PURCHASE ORDER.exePURCHASE ORDER.exepowershell.exepowershell.exe

pid	process
2044	PURCHASE ORDER.exe
2044	PURCHASE ORDER.exe
2044	PURCHASE ORDER.exe
592	PURCHASE ORDER.exe
592	PURCHASE ORDER.exe
1968	powershell.exe
1288	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PURCHASE ORDER.exePURCHASE ORDER.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2044	PURCHASE ORDER.exe
Token: SeDebugPrivilege	592	PURCHASE ORDER.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

PURCHASE ORDER.exe

description	pid	process	target process
PID 2044 wrote to memory of 1288	2044	PURCHASE ORDER.exe	powershell.exe
PID 2044 wrote to memory of 1288	2044	PURCHASE ORDER.exe	powershell.exe
PID 2044 wrote to memory of 1288	2044	PURCHASE ORDER.exe	powershell.exe
PID 2044 wrote to memory of 1288	2044	PURCHASE ORDER.exe	powershell.exe
PID 2044 wrote to memory of 1968	2044	PURCHASE ORDER.exe	powershell.exe
PID 2044 wrote to memory of 1968	2044	PURCHASE ORDER.exe	powershell.exe
PID 2044 wrote to memory of 1968	2044	PURCHASE ORDER.exe	powershell.exe
PID 2044 wrote to memory of 1968	2044	PURCHASE ORDER.exe	powershell.exe
PID 2044 wrote to memory of 2168	2044	PURCHASE ORDER.exe	schtasks.exe
PID 2044 wrote to memory of 2168	2044	PURCHASE ORDER.exe	schtasks.exe
PID 2044 wrote to memory of 2168	2044	PURCHASE ORDER.exe	schtasks.exe
PID 2044 wrote to memory of 2168	2044	PURCHASE ORDER.exe	schtasks.exe
PID 2044 wrote to memory of 592	2044	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 2044 wrote to memory of 592	2044	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 2044 wrote to memory of 592	2044	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 2044 wrote to memory of 592	2044	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 2044 wrote to memory of 592	2044	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 2044 wrote to memory of 592	2044	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 2044 wrote to memory of 592	2044	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 2044 wrote to memory of 592	2044	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 2044 wrote to memory of 592	2044	PURCHASE ORDER.exe	PURCHASE ORDER.exe

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\azSeNNFbJYW.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\azSeNNFbJYW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp89B9.tmp"
2⤵
- Creates scheduled task(s)
PID:2168

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

4

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp89B9.tmp
Filesize
1KB

MD5
ac2efacf77ac6344cafc7701e741da9c

SHA1
18dfe0b5e76f4e77d7afb797f8837423df7af0d6

SHA256
5ea97112985b4ad2a3a95948d68abb9a927663910bbf6ad9764ca1737486a27b

SHA512
46713dddf39aa72e31815c58c432b6a48cfcfa6fbe54db96492cca72864ae5b71bfbbf5ce984e2aa5d3a96ecb69e737685796fb54d97fc163a493b86dae39e87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7cdeb7a6324d10c8b243c36ab329cfea

SHA1
a2b2e300147fd9ce1f9e96e7bac6d86b927f9e55

SHA256
87e9dd82e06036e1a3755bd1bf6cd65550f729e4c84c77306e4e5fd30ccbb326

SHA512
482c06b9f10fb8af88991d392b084673dda1c4c15a8d5650a7126f41e14cb4a90e12e396e49511547237c8b1bb432baa45aff6678afbf3b634efcc332a36dbea

Download Submit
memory/592-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/592-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/592-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/592-41-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/592-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/592-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/592-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/592-37-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/592-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/592-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1288-39-0x000000006FD60000-0x000000007030B000-memory.dmp

Filesize
5.7MB

Download
memory/1288-38-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/1288-36-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/1288-32-0x000000006FD60000-0x000000007030B000-memory.dmp

Filesize
5.7MB

Download
memory/1288-34-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/1968-40-0x000000006FD60000-0x000000007030B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-35-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/1968-33-0x000000006FD60000-0x000000007030B000-memory.dmp

Filesize
5.7MB

Download
memory/2044-31-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/2044-1-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/2044-4-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2044-3-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/2044-0-0x00000000008B0000-0x000000000095E000-memory.dmp

Filesize
696KB

Download
memory/2044-2-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/2044-5-0x00000000053A0000-0x0000000005422000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads