agenttesla | 57cfb4702d6902a5848f4c9536381f46e1b1b4870f5df749ba4d3f15660e8947

General

Target

Overdue Account.exe
Size

672KB
MD5

8858954bbf2c3f1525ca1f6d07788ba3
SHA1

5b7d021ebb6e64abbdc51a5c0469f6287f1924f1
SHA256

57cfb4702d6902a5848f4c9536381f46e1b1b4870f5df749ba4d3f15660e8947
SHA512

7e542f25518fa023c844b3924c73ab5e65ff15ddc8731a8af5b34ce30aa53f87fdee78b7c53a8e968240d73c5cadcb76a05a5374dea072c6e259e989dbc7c70d
SSDEEP

12288:kRkB778QH82WS8U9AadmiotMCi3uQiXD0gNVT8d0W4Ubk0ILqRKs8i3W6BvxBkR:KkBR82vZ9An9pZQg0qZW00MqRKiG69+

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.plsco.org
Port:
587
Username:
[email protected]
Password:
fghbnm@PLS#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Overdue Account.exe

description pid process target process

PID 2056 set thread context of 2488 2056 Overdue Account.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2968 schtasks.exe

description	pid	process	target process
PID 2056 set thread context of 2488	2056	Overdue Account.exe	RegSvcs.exe

pid	process
2968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

Overdue Account.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
2056	Overdue Account.exe
2056	Overdue Account.exe
2056	Overdue Account.exe
2056	Overdue Account.exe
2056	Overdue Account.exe
2056	Overdue Account.exe
2324	powershell.exe
2596	powershell.exe
2056	Overdue Account.exe
2488	RegSvcs.exe
2488	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Overdue Account.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2056	Overdue Account.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2488	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Overdue Account.exe

description	pid	process	target process
PID 2056 wrote to memory of 2324	2056	Overdue Account.exe	powershell.exe
PID 2056 wrote to memory of 2324	2056	Overdue Account.exe	powershell.exe
PID 2056 wrote to memory of 2324	2056	Overdue Account.exe	powershell.exe
PID 2056 wrote to memory of 2324	2056	Overdue Account.exe	powershell.exe
PID 2056 wrote to memory of 2596	2056	Overdue Account.exe	powershell.exe
PID 2056 wrote to memory of 2596	2056	Overdue Account.exe	powershell.exe
PID 2056 wrote to memory of 2596	2056	Overdue Account.exe	powershell.exe
PID 2056 wrote to memory of 2596	2056	Overdue Account.exe	powershell.exe
PID 2056 wrote to memory of 2968	2056	Overdue Account.exe	schtasks.exe
PID 2056 wrote to memory of 2968	2056	Overdue Account.exe	schtasks.exe
PID 2056 wrote to memory of 2968	2056	Overdue Account.exe	schtasks.exe
PID 2056 wrote to memory of 2968	2056	Overdue Account.exe	schtasks.exe
PID 2056 wrote to memory of 2488	2056	Overdue Account.exe	RegSvcs.exe
PID 2056 wrote to memory of 2488	2056	Overdue Account.exe	RegSvcs.exe
PID 2056 wrote to memory of 2488	2056	Overdue Account.exe	RegSvcs.exe
PID 2056 wrote to memory of 2488	2056	Overdue Account.exe	RegSvcs.exe
PID 2056 wrote to memory of 2488	2056	Overdue Account.exe	RegSvcs.exe
PID 2056 wrote to memory of 2488	2056	Overdue Account.exe	RegSvcs.exe
PID 2056 wrote to memory of 2488	2056	Overdue Account.exe	RegSvcs.exe
PID 2056 wrote to memory of 2488	2056	Overdue Account.exe	RegSvcs.exe
PID 2056 wrote to memory of 2488	2056	Overdue Account.exe	RegSvcs.exe
PID 2056 wrote to memory of 2488	2056	Overdue Account.exe	RegSvcs.exe
PID 2056 wrote to memory of 2488	2056	Overdue Account.exe	RegSvcs.exe
PID 2056 wrote to memory of 2488	2056	Overdue Account.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Overdue Account.exe
"C:\Users\Admin\AppData\Local\Temp\Overdue Account.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Overdue Account.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ujCdfdU.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ujCdfdU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D53.tmp"
2⤵
- Creates scheduled task(s)
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6D53.tmp
Filesize
1KB

MD5
078dee0bb3717a16c9466a8bd280ace1

SHA1
95b67b8b6b98dd6d6a8cfb14782b7b5d16689c68

SHA256
36570ae722d05bef9057edcc35caf9cfd0e873b29b24156ed0c571719d2bed15

SHA512
5865e06ac9f1f736c20b59ae34bd1c5ee280b9fa61d957e15236a026ca1556716a097e7c09f769efc2b057977d2437377741e2edf89a214eb670c85184c10bae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e56fd9d89647f612431ddab9943b3e3c

SHA1
9e8280dec45a9d448ae3b12ce79d9867bed8fdef

SHA256
3d0a332cbdbac55d05fae59c7064b604bcde3816f672d3639eea2116395a3160

SHA512
e7c06230f62b0db8476012b27fd6d70c0681dcdcf0c6a5f48bae13da31d2a61177e434e2adeeaf48e47cd1e33b477ac113fd21ac5b40eb6ac2e0519eaf482ab4

Download Submit
memory/2056-4-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2056-3-0x00000000003E0000-0x00000000003F8000-memory.dmp

Filesize
96KB

Download
memory/2056-0-0x0000000000300000-0x00000000003AA000-memory.dmp

Filesize
680KB

Download
memory/2056-5-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/2056-6-0x0000000004BB0000-0x0000000004C32000-memory.dmp

Filesize
520KB

Download
memory/2056-2-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/2056-1-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2056-33-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2056-32-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2488-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads