agenttesla | 2b00500da79ecddffab11f031a9d09b728a6f6bb9e9d9c3aba1a0996890016fa

General

Target

Total Invoices.exe
Size

789KB
MD5

cd3c05ebb9a3fca7aa748f522559b1ea
SHA1

43dc8cdf47186a54dc38cd86450aca6f6361a9b4
SHA256

c96565623c3e405a370614f452383a763f5a48baf25e79f91a6311c9a0a8fd3a
SHA512

5d11d8dbec417ed7c8bd9f2b49925c01440b4d517cff1190d411e832528550f0e6645c7005dbd0953aafb82ba7d25977351f0ad5aba5736bd62140a3d0cc2e6a
SSDEEP

24576:7ldr5ja9fm5r+jrZf1vsAJ2jN5GFhXuv:7lbjH5srZtvXouj

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.unitechautomations.com
Port:
587
Username:
[email protected]
Password:
Unitech@123
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUIVTme = "C:\\Users\\Admin\\AppData\\Roaming\\GUIVTme\\GUIVTme.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Total Invoices.exe

description pid process target process

PID 2176 set thread context of 2464 2176 Total Invoices.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2392 schtasks.exe

description	pid	process	target process
PID 2176 set thread context of 2464	2176	Total Invoices.exe	RegSvcs.exe

pid	process
2392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Total Invoices.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
2176	Total Invoices.exe
2176	Total Invoices.exe
2176	Total Invoices.exe
2860	powershell.exe
2684	powershell.exe
2176	Total Invoices.exe
2464	RegSvcs.exe
2464	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Total Invoices.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2176	Total Invoices.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2464	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Total Invoices.exe

description	pid	process	target process
PID 2176 wrote to memory of 2684	2176	Total Invoices.exe	powershell.exe
PID 2176 wrote to memory of 2684	2176	Total Invoices.exe	powershell.exe
PID 2176 wrote to memory of 2684	2176	Total Invoices.exe	powershell.exe
PID 2176 wrote to memory of 2684	2176	Total Invoices.exe	powershell.exe
PID 2176 wrote to memory of 2860	2176	Total Invoices.exe	powershell.exe
PID 2176 wrote to memory of 2860	2176	Total Invoices.exe	powershell.exe
PID 2176 wrote to memory of 2860	2176	Total Invoices.exe	powershell.exe
PID 2176 wrote to memory of 2860	2176	Total Invoices.exe	powershell.exe
PID 2176 wrote to memory of 2392	2176	Total Invoices.exe	schtasks.exe
PID 2176 wrote to memory of 2392	2176	Total Invoices.exe	schtasks.exe
PID 2176 wrote to memory of 2392	2176	Total Invoices.exe	schtasks.exe
PID 2176 wrote to memory of 2392	2176	Total Invoices.exe	schtasks.exe
PID 2176 wrote to memory of 2464	2176	Total Invoices.exe	RegSvcs.exe
PID 2176 wrote to memory of 2464	2176	Total Invoices.exe	RegSvcs.exe
PID 2176 wrote to memory of 2464	2176	Total Invoices.exe	RegSvcs.exe
PID 2176 wrote to memory of 2464	2176	Total Invoices.exe	RegSvcs.exe
PID 2176 wrote to memory of 2464	2176	Total Invoices.exe	RegSvcs.exe
PID 2176 wrote to memory of 2464	2176	Total Invoices.exe	RegSvcs.exe
PID 2176 wrote to memory of 2464	2176	Total Invoices.exe	RegSvcs.exe
PID 2176 wrote to memory of 2464	2176	Total Invoices.exe	RegSvcs.exe
PID 2176 wrote to memory of 2464	2176	Total Invoices.exe	RegSvcs.exe
PID 2176 wrote to memory of 2464	2176	Total Invoices.exe	RegSvcs.exe
PID 2176 wrote to memory of 2464	2176	Total Invoices.exe	RegSvcs.exe
PID 2176 wrote to memory of 2464	2176	Total Invoices.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Total Invoices.exe
"C:\Users\Admin\AppData\Local\Temp\Total Invoices.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Total Invoices.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dWXyZYb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp676A.tmp"
2⤵
- Creates scheduled task(s)
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp676A.tmp
Filesize
1KB

MD5
72a456ac3521987c834c13f130cdc763

SHA1
01fd57866cc2bbe1abcd60c63de98630b801a57f

SHA256
468e8f551a1a65ad9d4eeffea66468ca3855b9d238cbca0aedcdf8689d073374

SHA512
0784a81e935fabc4354fdfb9e9416e68a737568a8c51a88693561d9605ab692504b42030183dc990b31a46870666417a9a6a2447827a5e1581a4dc8613e27a97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AKXC1ASRBYEIXRCT7NDA.temp
Filesize
7KB

MD5
809a84f98916131f179e7ccc565b1a32

SHA1
98f295e77ec5760e500ec07feaafb74d573adb3d

SHA256
14ddff3215a513aad56516c89750fd43682635e644a8532263ba4b6fb86c0ab1

SHA512
07f98c3251e04073184ac0567885d89dd36366428dcfe0e4575d975f91ed714e2243e95dfd78fb1edabf0fc3679369e69ad2588f6904c8269cec918ac00a78c2

Download Submit
memory/2176-31-0x00000000743E0000-0x0000000074ACE000-memory.dmp

Filesize
6.9MB

Download
memory/2176-1-0x00000000743E0000-0x0000000074ACE000-memory.dmp

Filesize
6.9MB

Download
memory/2176-2-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/2176-3-0x0000000000420000-0x0000000000438000-memory.dmp

Filesize
96KB

Download
memory/2176-4-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/2176-5-0x0000000000450000-0x0000000000464000-memory.dmp

Filesize
80KB

Download
memory/2176-6-0x00000000001F0000-0x0000000000274000-memory.dmp

Filesize
528KB

Download
memory/2176-0-0x0000000000920000-0x00000000009EC000-memory.dmp

Filesize
816KB

Download
memory/2464-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-44-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/2464-42-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2464-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-47-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/2464-43-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2464-46-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2464-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-30-0x000000006DEB0000-0x000000006E45B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-37-0x0000000002AC0000-0x0000000002B00000-memory.dmp

Filesize
256KB

Download
memory/2684-35-0x0000000002AC0000-0x0000000002B00000-memory.dmp

Filesize
256KB

Download
memory/2684-38-0x000000006DEB0000-0x000000006E45B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-33-0x000000006DEB0000-0x000000006E45B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-32-0x0000000002D30000-0x0000000002D70000-memory.dmp

Filesize
256KB

Download
memory/2860-39-0x000000006DEB0000-0x000000006E45B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-29-0x000000006DEB0000-0x000000006E45B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-36-0x000000006DEB0000-0x000000006E45B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-34-0x0000000002D30000-0x0000000002D70000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads