agenttesla | 3ba76c9d42f8f48ddfd54277601914d532fadf1cf4cb5b5bbf963edbb20c0b18

General

Target

7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe
Size

662KB
MD5

b0d6b7687c3d3094a6948313bf920520
SHA1

f8fc61a6ca2326ab72ff41bf546b041ec3b5e7da
SHA256

7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38
SHA512

faa5ce82ec8ab00c5606a6120d5575d0aee51edc362dc86f91e445ca4e603541180f78b20c85b3cc22a264ff6a216022a2f070a2a7e5a74aef751e1cb303b805
SSDEEP

12288:GxEd6oXmzYCIF1JhXfyq1x5h1ltlCcKErQPTmHD8X2JsAKZm/pl5ocGppGAOg4Cb:GxcOcCg17Xqw53jlUrmHG2J0g/plXMvL

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.guestequipment.com.au
Port:
587
Username:
[email protected]
Password:
Clone89!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1664 set thread context of 2568	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2568	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe
2568	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe
2552	powershell.exe
2508	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2552	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	28
PID 1664 wrote to memory of 2552	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	28
PID 1664 wrote to memory of 2552	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	28
PID 1664 wrote to memory of 2552	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	28
PID 1664 wrote to memory of 2508	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	30
PID 1664 wrote to memory of 2508	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	30
PID 1664 wrote to memory of 2508	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	30
PID 1664 wrote to memory of 2508	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	30
PID 1664 wrote to memory of 2572	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	32
PID 1664 wrote to memory of 2572	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	32
PID 1664 wrote to memory of 2572	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	32
PID 1664 wrote to memory of 2572	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	32
PID 1664 wrote to memory of 2568	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	34
PID 1664 wrote to memory of 2568	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	34
PID 1664 wrote to memory of 2568	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	34
PID 1664 wrote to memory of 2568	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	34
PID 1664 wrote to memory of 2568	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	34
PID 1664 wrote to memory of 2568	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	34
PID 1664 wrote to memory of 2568	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	34
PID 1664 wrote to memory of 2568	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	34
PID 1664 wrote to memory of 2568	1664	7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe	34

C:\Users\Admin\AppData\Local\Temp\7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe
"C:\Users\Admin\AppData\Local\Temp\7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tekHOfaCemmCHA.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tekHOfaCemmCHA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC8AC.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe
  "C:\Users\Admin\AppData\Local\Temp\7b25460c3bb97a058fee383083d303e03e6e2de48f48df28ad6842c817665c38.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC8AC.tmp

Filesize
1KB

MD5
f9575a0dc2eb8682597872750770c33d

SHA1
3f5e41f1564fc74a49249cc97605d3e885943f08

SHA256
2b012651587e556841f4c7ac3d7a992cce479ef4652a2a6e0826a0dfdde4b020

SHA512
1744fc9129c958d573678522da899ecfcc2dd6f580265fb74e505e9022f15a62ce0f0c5cb2c992394239fea25b5d231f9197a8eadd7f9f2de574ee0f0abbe6cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1H7DEM4CNRTRAOG7H13K.temp

Filesize
7KB

MD5
179d87e93bcc62666f63167e2a45e055

SHA1
711857f3678c8ccce00353a7fe33afc0e735219b

SHA256
bee268232ad1d5de707008db0474a3f599ef5194d2ad95f08d425e946ac4415e

SHA512
fc4381538a58308599468255bbda4e6d74b99adfe6bd0a0ecf490ebafefb63ff631d6a1e3b837fbb652207deab27443a80c3b309b89cd22264e541e2ad9a0c44

Download Submit
memory/1664-6-0x00000000048A0000-0x0000000004928000-memory.dmp

Filesize
544KB

Download
memory/1664-3-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/1664-4-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/1664-5-0x0000000000470000-0x000000000047E000-memory.dmp

Filesize
56KB

Download
memory/1664-29-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/1664-2-0x0000000000BC0000-0x0000000000C00000-memory.dmp

Filesize
256KB

Download
memory/1664-1-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/1664-0-0x0000000000E20000-0x0000000000ECC000-memory.dmp

Filesize
688KB

Download
memory/2508-45-0x000000006F950000-0x000000006FEFB000-memory.dmp

Filesize
5.7MB

Download
memory/2508-41-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/2508-36-0x000000006F950000-0x000000006FEFB000-memory.dmp

Filesize
5.7MB

Download
memory/2508-35-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/2508-34-0x000000006F950000-0x000000006FEFB000-memory.dmp

Filesize
5.7MB

Download
memory/2552-40-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/2552-37-0x000000006F950000-0x000000006FEFB000-memory.dmp

Filesize
5.7MB

Download
memory/2552-44-0x000000006F950000-0x000000006FEFB000-memory.dmp

Filesize
5.7MB

Download
memory/2552-33-0x000000006F950000-0x000000006FEFB000-memory.dmp

Filesize
5.7MB

Download
memory/2552-43-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/2552-42-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/2568-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-38-0x0000000073860000-0x0000000073F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-39-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/2568-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-46-0x0000000073860000-0x0000000073F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-47-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads