agenttesla | 41c1924e758c705eab2c725624c7c01923601d805c3e4ebe6cac379e32ed4140

General

Target

KZWCMNWmmqi9lvI.exe
Size

724KB
MD5

357819113a4c45ae00b90d06bdd54f67
SHA1

ed16e3a8b5d359f6f59cde2cfedc619bcf24bbfd
SHA256

41c1924e758c705eab2c725624c7c01923601d805c3e4ebe6cac379e32ed4140
SHA512

e0b1d910e4ff577c3bd50ddd6c26ad270c1c113645df887294113febb2f71c7905f7b1cc5e7f8f09a08ed11eaded5887f52607c15f6958c512ff3124727b321c
SSDEEP

12288:pGL21ILpqe2cWjoI8F1P3FkbBrmofmjuFP6U74BYE3+FhjXmZdwwpIl:IL21ILpqerAY3FkbZmofmvQFh6Hq

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.morabitur.com
Port:
587
Username:
[email protected]
Password:
Book&Confirm!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1136 set thread context of 2356	1136	KZWCMNWmmqi9lvI.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1136	KZWCMNWmmqi9lvI.exe
1136	KZWCMNWmmqi9lvI.exe
2356	RegSvcs.exe
2356	RegSvcs.exe
2432	powershell.exe
3024	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	KZWCMNWmmqi9lvI.exe
Token: SeDebugPrivilege	2356	RegSvcs.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 2432	1136	KZWCMNWmmqi9lvI.exe	28
PID 1136 wrote to memory of 2432	1136	KZWCMNWmmqi9lvI.exe	28
PID 1136 wrote to memory of 2432	1136	KZWCMNWmmqi9lvI.exe	28
PID 1136 wrote to memory of 2432	1136	KZWCMNWmmqi9lvI.exe	28
PID 1136 wrote to memory of 3024	1136	KZWCMNWmmqi9lvI.exe	30
PID 1136 wrote to memory of 3024	1136	KZWCMNWmmqi9lvI.exe	30
PID 1136 wrote to memory of 3024	1136	KZWCMNWmmqi9lvI.exe	30
PID 1136 wrote to memory of 3024	1136	KZWCMNWmmqi9lvI.exe	30
PID 1136 wrote to memory of 2848	1136	KZWCMNWmmqi9lvI.exe	32
PID 1136 wrote to memory of 2848	1136	KZWCMNWmmqi9lvI.exe	32
PID 1136 wrote to memory of 2848	1136	KZWCMNWmmqi9lvI.exe	32
PID 1136 wrote to memory of 2848	1136	KZWCMNWmmqi9lvI.exe	32
PID 1136 wrote to memory of 2356	1136	KZWCMNWmmqi9lvI.exe	34
PID 1136 wrote to memory of 2356	1136	KZWCMNWmmqi9lvI.exe	34
PID 1136 wrote to memory of 2356	1136	KZWCMNWmmqi9lvI.exe	34
PID 1136 wrote to memory of 2356	1136	KZWCMNWmmqi9lvI.exe	34
PID 1136 wrote to memory of 2356	1136	KZWCMNWmmqi9lvI.exe	34
PID 1136 wrote to memory of 2356	1136	KZWCMNWmmqi9lvI.exe	34
PID 1136 wrote to memory of 2356	1136	KZWCMNWmmqi9lvI.exe	34
PID 1136 wrote to memory of 2356	1136	KZWCMNWmmqi9lvI.exe	34
PID 1136 wrote to memory of 2356	1136	KZWCMNWmmqi9lvI.exe	34
PID 1136 wrote to memory of 2356	1136	KZWCMNWmmqi9lvI.exe	34
PID 1136 wrote to memory of 2356	1136	KZWCMNWmmqi9lvI.exe	34
PID 1136 wrote to memory of 2356	1136	KZWCMNWmmqi9lvI.exe	34

C:\Users\Admin\AppData\Local\Temp\KZWCMNWmmqi9lvI.exe
"C:\Users\Admin\AppData\Local\Temp\KZWCMNWmmqi9lvI.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\KZWCMNWmmqi9lvI.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YNmvek.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNmvek" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC5BF.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC5BF.tmp

Filesize
1KB

MD5
10c34728aac61f940b4698fb68da39f4

SHA1
a36efc086a8684e4aa795edc4ae19298aa30b113

SHA256
cd52327d116b9579f1d82c4463242f66ad4ff3615f479d91b7eaf77e69027821

SHA512
f242b235010084935b9489ea3953a21aa5ecdbf5da7388e4e2274bec7f803443e767614132abca039c80ee8292b15335a10986fb12ebaa8b1c2af74602144973

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e328b923fceb09199a1dd4641bf6bffb

SHA1
d24ee23a6b0ece23b32f2dbfcd03801b61c0b1ee

SHA256
8257d94f704cae978568eb0cf797c5de6ff3c9d264697c643a06d835f2451430

SHA512
23a2e2308cd1d042afdec9a7e8a04fce7342a3dc7d3d11b42d4ebce3b7bb387829707a12ccfd8711e0f006ef4e59dc9ada47bf2d0a1e474cb2f3eb1edbbc965a

Download Submit
memory/1136-1-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1136-0-0x0000000000060000-0x000000000011A000-memory.dmp

Filesize
744KB

Download
memory/1136-2-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/1136-3-0x0000000000640000-0x0000000000658000-memory.dmp

Filesize
96KB

Download
memory/1136-4-0x0000000000660000-0x000000000066E000-memory.dmp

Filesize
56KB

Download
memory/1136-5-0x0000000000670000-0x0000000000684000-memory.dmp

Filesize
80KB

Download
memory/1136-6-0x0000000005E20000-0x0000000005EA2000-memory.dmp

Filesize
520KB

Download
memory/1136-38-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2356-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-47-0x00000000006E0000-0x0000000000720000-memory.dmp

Filesize
256KB

Download
memory/2356-46-0x00000000734B0000-0x0000000073B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2356-41-0x00000000006E0000-0x0000000000720000-memory.dmp

Filesize
256KB

Download
memory/2356-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2356-40-0x00000000734B0000-0x0000000073B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2356-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-21-0x000000006E290000-0x000000006E83B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-19-0x000000006E290000-0x000000006E83B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-42-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/2432-43-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/2432-45-0x000000006E290000-0x000000006E83B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-20-0x000000006E290000-0x000000006E83B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-44-0x000000006E290000-0x000000006E83B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-23-0x000000006E290000-0x000000006E83B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-22-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads