agenttesla | fae69b134cf4349b6caaac924c73c20172e9c6768501e4b63fc386bbe5ef7205

General

Target

statement and invoices.exe
Size

828KB
MD5

7ca522120ba2f516eeabd3d3979c14eb
SHA1

3da00a3e7c38b1cab49e7a443a33de11dbd642fc
SHA256

9da495f395181d2188e798281ad85b82acdf6d1185c28885fe193c6c48f78a93
SHA512

2eb76c682e5f86f6148750003e4b51375d7ac58e3486157b0c55da98073fb6f852fa0ef209115f0c8223e2f081df4ecff56e181af540da49fd0819a832cb73b8
SSDEEP

24576:bDPjKr5BND8Vqr4MYBt7xa42c//Bs9zEi:vk5BNggrzia7c3SF

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.probending.co.th
Port:
587
Username:
[email protected]
Password:
9aglmaj6C5hF
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

statement and invoices.exe

description pid process target process

PID 2044 set thread context of 2840 2044 statement and invoices.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2688 schtasks.exe

description	pid	process	target process
PID 2044 set thread context of 2840	2044	statement and invoices.exe	RegSvcs.exe

pid	process
2688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

statement and invoices.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
2044	statement and invoices.exe
2044	statement and invoices.exe
2044	statement and invoices.exe
2044	statement and invoices.exe
2044	statement and invoices.exe
2044	statement and invoices.exe
2044	statement and invoices.exe
2636	powershell.exe
2024	powershell.exe
2840	RegSvcs.exe
2840	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

statement and invoices.exeRegSvcs.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2044	statement and invoices.exe
Token: SeDebugPrivilege	2840	RegSvcs.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

statement and invoices.exe

description	pid	process	target process
PID 2044 wrote to memory of 2024	2044	statement and invoices.exe	powershell.exe
PID 2044 wrote to memory of 2024	2044	statement and invoices.exe	powershell.exe
PID 2044 wrote to memory of 2024	2044	statement and invoices.exe	powershell.exe
PID 2044 wrote to memory of 2024	2044	statement and invoices.exe	powershell.exe
PID 2044 wrote to memory of 2636	2044	statement and invoices.exe	powershell.exe
PID 2044 wrote to memory of 2636	2044	statement and invoices.exe	powershell.exe
PID 2044 wrote to memory of 2636	2044	statement and invoices.exe	powershell.exe
PID 2044 wrote to memory of 2636	2044	statement and invoices.exe	powershell.exe
PID 2044 wrote to memory of 2688	2044	statement and invoices.exe	schtasks.exe
PID 2044 wrote to memory of 2688	2044	statement and invoices.exe	schtasks.exe
PID 2044 wrote to memory of 2688	2044	statement and invoices.exe	schtasks.exe
PID 2044 wrote to memory of 2688	2044	statement and invoices.exe	schtasks.exe
PID 2044 wrote to memory of 2840	2044	statement and invoices.exe	RegSvcs.exe
PID 2044 wrote to memory of 2840	2044	statement and invoices.exe	RegSvcs.exe
PID 2044 wrote to memory of 2840	2044	statement and invoices.exe	RegSvcs.exe
PID 2044 wrote to memory of 2840	2044	statement and invoices.exe	RegSvcs.exe
PID 2044 wrote to memory of 2840	2044	statement and invoices.exe	RegSvcs.exe
PID 2044 wrote to memory of 2840	2044	statement and invoices.exe	RegSvcs.exe
PID 2044 wrote to memory of 2840	2044	statement and invoices.exe	RegSvcs.exe
PID 2044 wrote to memory of 2840	2044	statement and invoices.exe	RegSvcs.exe
PID 2044 wrote to memory of 2840	2044	statement and invoices.exe	RegSvcs.exe
PID 2044 wrote to memory of 2840	2044	statement and invoices.exe	RegSvcs.exe
PID 2044 wrote to memory of 2840	2044	statement and invoices.exe	RegSvcs.exe
PID 2044 wrote to memory of 2840	2044	statement and invoices.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\statement and invoices.exe
"C:\Users\Admin\AppData\Local\Temp\statement and invoices.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\statement and invoices.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yrkroc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yrkroc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64AC.tmp"
2⤵
- Creates scheduled task(s)
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp64AC.tmp
Filesize
1KB

MD5
f055f0499e33a0209848e2b70a88d09e

SHA1
2492cb8e5e81f12bdf28040747bba0030e595339

SHA256
191270dc502e4997a46bce41a27cb023ac8f1aa414f16072d88790c4b12555bd

SHA512
c35eec34e4e18eb97892a99c83e7118afefb6aa833e24b636383d4b240ef675ebf4e2582c51caaac3a747e7f28fa0773095f423f7ab9f4e63fe142fb7c4d1256

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O0721RZPML3VR4KRFGE4.temp
Filesize
7KB

MD5
4cd0847042157bb9e451e4cdf9c52dbd

SHA1
8598377f10163ff322b3cdfdad687dd3661fdd24

SHA256
69624b379463b6be0e3f1d0ba14705b0d3f177d196f84c479682eb92f8371db2

SHA512
f28ee8594d544915f129441e7f0c634822f6cd5b776301a345510e8c521733f509ebdbb1e3a62b02e36b0a973cef83eabbe7de0204280ba5901e12e822c83339

Download Submit
memory/2044-31-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-1-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-2-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2044-3-0x00000000003F0000-0x0000000000410000-memory.dmp

Filesize
128KB

Download
memory/2044-4-0x0000000000760000-0x0000000000774000-memory.dmp

Filesize
80KB

Download
memory/2044-5-0x0000000005A40000-0x0000000005AC2000-memory.dmp

Filesize
520KB

Download
memory/2044-0-0x0000000000BE0000-0x0000000000CB0000-memory.dmp

Filesize
832KB

Download
memory/2840-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2840-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2840-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2840-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2840-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2840-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2840-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads