agenttesla | c96565623c3e405a370614f452383a763f5a48baf25e79f91a6311c9a0a8fd3a

General

Target

Total Invoices.exe
Size

789KB
MD5

cd3c05ebb9a3fca7aa748f522559b1ea
SHA1

43dc8cdf47186a54dc38cd86450aca6f6361a9b4
SHA256

c96565623c3e405a370614f452383a763f5a48baf25e79f91a6311c9a0a8fd3a
SHA512

5d11d8dbec417ed7c8bd9f2b49925c01440b4d517cff1190d411e832528550f0e6645c7005dbd0953aafb82ba7d25977351f0ad5aba5736bd62140a3d0cc2e6a
SSDEEP

24576:7ldr5ja9fm5r+jrZf1vsAJ2jN5GFhXuv:7lbjH5srZtvXouj

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.unitechautomations.com
Port:
587
Username:
[email protected]
Password:
Unitech@123
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUIVTme = "C:\\Users\\Admin\\AppData\\Roaming\\GUIVTme\\GUIVTme.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Total Invoices.exe

description pid process target process

PID 3048 set thread context of 2452 3048 Total Invoices.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2752 schtasks.exe

description	pid	process	target process
PID 3048 set thread context of 2452	3048	Total Invoices.exe	RegSvcs.exe

pid	process
2752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Total Invoices.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
3048	Total Invoices.exe
3048	Total Invoices.exe
3048	Total Invoices.exe
2716	powershell.exe
2568	powershell.exe
3048	Total Invoices.exe
2452	RegSvcs.exe
2452	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Total Invoices.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3048	Total Invoices.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2452	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Total Invoices.exe

description	pid	process	target process
PID 3048 wrote to memory of 2568	3048	Total Invoices.exe	powershell.exe
PID 3048 wrote to memory of 2568	3048	Total Invoices.exe	powershell.exe
PID 3048 wrote to memory of 2568	3048	Total Invoices.exe	powershell.exe
PID 3048 wrote to memory of 2568	3048	Total Invoices.exe	powershell.exe
PID 3048 wrote to memory of 2716	3048	Total Invoices.exe	powershell.exe
PID 3048 wrote to memory of 2716	3048	Total Invoices.exe	powershell.exe
PID 3048 wrote to memory of 2716	3048	Total Invoices.exe	powershell.exe
PID 3048 wrote to memory of 2716	3048	Total Invoices.exe	powershell.exe
PID 3048 wrote to memory of 2752	3048	Total Invoices.exe	schtasks.exe
PID 3048 wrote to memory of 2752	3048	Total Invoices.exe	schtasks.exe
PID 3048 wrote to memory of 2752	3048	Total Invoices.exe	schtasks.exe
PID 3048 wrote to memory of 2752	3048	Total Invoices.exe	schtasks.exe
PID 3048 wrote to memory of 2452	3048	Total Invoices.exe	RegSvcs.exe
PID 3048 wrote to memory of 2452	3048	Total Invoices.exe	RegSvcs.exe
PID 3048 wrote to memory of 2452	3048	Total Invoices.exe	RegSvcs.exe
PID 3048 wrote to memory of 2452	3048	Total Invoices.exe	RegSvcs.exe
PID 3048 wrote to memory of 2452	3048	Total Invoices.exe	RegSvcs.exe
PID 3048 wrote to memory of 2452	3048	Total Invoices.exe	RegSvcs.exe
PID 3048 wrote to memory of 2452	3048	Total Invoices.exe	RegSvcs.exe
PID 3048 wrote to memory of 2452	3048	Total Invoices.exe	RegSvcs.exe
PID 3048 wrote to memory of 2452	3048	Total Invoices.exe	RegSvcs.exe
PID 3048 wrote to memory of 2452	3048	Total Invoices.exe	RegSvcs.exe
PID 3048 wrote to memory of 2452	3048	Total Invoices.exe	RegSvcs.exe
PID 3048 wrote to memory of 2452	3048	Total Invoices.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Total Invoices.exe
"C:\Users\Admin\AppData\Local\Temp\Total Invoices.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Total Invoices.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dWXyZYb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5956.tmp"
2⤵
- Creates scheduled task(s)
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5956.tmp
Filesize
1KB

MD5
72a456ac3521987c834c13f130cdc763

SHA1
01fd57866cc2bbe1abcd60c63de98630b801a57f

SHA256
468e8f551a1a65ad9d4eeffea66468ca3855b9d238cbca0aedcdf8689d073374

SHA512
0784a81e935fabc4354fdfb9e9416e68a737568a8c51a88693561d9605ab692504b42030183dc990b31a46870666417a9a6a2447827a5e1581a4dc8613e27a97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
991d3fec6f23bbaa3c92d6ac8a7ad142

SHA1
0fcf9b537ec1b0e17db68d4bbcd3bc7ebcbe4881

SHA256
63c95e3e9e42081263b67c2c681632c8036149fd2220c138dd6f992a899490d4

SHA512
137a0636834c4443051004879f188936031801438f2d09dca46c9738e17e441b2da0bad094ee55888716c44682d957ebf1d106f1858aa98ffe37432eafb079b9

Download Submit
memory/2452-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-42-0x00000000738B0000-0x0000000073F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2452-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-46-0x00000000738B0000-0x0000000073F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2452-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2452-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2568-43-0x000000006E680000-0x000000006EC2B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-30-0x000000006E680000-0x000000006EC2B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-39-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/2568-40-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/2568-33-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/2568-36-0x000000006E680000-0x000000006EC2B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-41-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2716-44-0x000000006E680000-0x000000006EC2B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-38-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2716-32-0x000000006E680000-0x000000006EC2B000-memory.dmp

Filesize
5.7MB

Download
memory/3048-5-0x0000000000780000-0x0000000000794000-memory.dmp

Filesize
80KB

Download
memory/3048-35-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/3048-1-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/3048-4-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/3048-6-0x00000000005B0000-0x0000000000634000-memory.dmp

Filesize
528KB

Download
memory/3048-3-0x0000000000760000-0x0000000000778000-memory.dmp

Filesize
96KB

Download
memory/3048-2-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/3048-0-0x0000000000160000-0x000000000022C000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads