agenttesla | e48b7b9ba50d500f569024126a2ff8981db13525ff378ea2151ce8d6b7e4e452

General

Target

Overdue Account.pdf.exe
Size

670KB
MD5

81937e479c70381a7527b21693ab3e6c
SHA1

fbac04ef1e0315bff71d908496309d731da30c75
SHA256

e48b7b9ba50d500f569024126a2ff8981db13525ff378ea2151ce8d6b7e4e452
SHA512

35b56dce2a110c145a4c4bef02a5e0151835ea1f1d64891e346f77bf3ce4a3cae2b81f098e819183a2f664f28997845a22b071805e76c97a009b2f6241bbaded
SSDEEP

12288:PBB778QJ5RBdmrRwANBlJi/l/XbBzN5L/ObdOC0uCnGbmSAnJGXuY7GzkR:ZBDB0rqclJeNvL/EpV5bmJKu0

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.nooshdaroodc.com
Port:
587
Username:
[email protected]
Password:
Nou$h@Darou
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Overdue Account.pdf.exe

description pid process target process

PID 2100 set thread context of 2500 2100 Overdue Account.pdf.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2452 schtasks.exe

description	pid	process	target process
PID 2100 set thread context of 2500	2100	Overdue Account.pdf.exe	RegSvcs.exe

pid	process
2452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

Overdue Account.pdf.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
2100	Overdue Account.pdf.exe
2100	Overdue Account.pdf.exe
2100	Overdue Account.pdf.exe
2100	Overdue Account.pdf.exe
2100	Overdue Account.pdf.exe
2100	Overdue Account.pdf.exe
2860	powershell.exe
2552	powershell.exe
2100	Overdue Account.pdf.exe
2500	RegSvcs.exe
2500	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Overdue Account.pdf.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2100	Overdue Account.pdf.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2500	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Overdue Account.pdf.exe

description	pid	process	target process
PID 2100 wrote to memory of 2552	2100	Overdue Account.pdf.exe	powershell.exe
PID 2100 wrote to memory of 2552	2100	Overdue Account.pdf.exe	powershell.exe
PID 2100 wrote to memory of 2552	2100	Overdue Account.pdf.exe	powershell.exe
PID 2100 wrote to memory of 2552	2100	Overdue Account.pdf.exe	powershell.exe
PID 2100 wrote to memory of 2860	2100	Overdue Account.pdf.exe	powershell.exe
PID 2100 wrote to memory of 2860	2100	Overdue Account.pdf.exe	powershell.exe
PID 2100 wrote to memory of 2860	2100	Overdue Account.pdf.exe	powershell.exe
PID 2100 wrote to memory of 2860	2100	Overdue Account.pdf.exe	powershell.exe
PID 2100 wrote to memory of 2452	2100	Overdue Account.pdf.exe	schtasks.exe
PID 2100 wrote to memory of 2452	2100	Overdue Account.pdf.exe	schtasks.exe
PID 2100 wrote to memory of 2452	2100	Overdue Account.pdf.exe	schtasks.exe
PID 2100 wrote to memory of 2452	2100	Overdue Account.pdf.exe	schtasks.exe
PID 2100 wrote to memory of 2500	2100	Overdue Account.pdf.exe	RegSvcs.exe
PID 2100 wrote to memory of 2500	2100	Overdue Account.pdf.exe	RegSvcs.exe
PID 2100 wrote to memory of 2500	2100	Overdue Account.pdf.exe	RegSvcs.exe
PID 2100 wrote to memory of 2500	2100	Overdue Account.pdf.exe	RegSvcs.exe
PID 2100 wrote to memory of 2500	2100	Overdue Account.pdf.exe	RegSvcs.exe
PID 2100 wrote to memory of 2500	2100	Overdue Account.pdf.exe	RegSvcs.exe
PID 2100 wrote to memory of 2500	2100	Overdue Account.pdf.exe	RegSvcs.exe
PID 2100 wrote to memory of 2500	2100	Overdue Account.pdf.exe	RegSvcs.exe
PID 2100 wrote to memory of 2500	2100	Overdue Account.pdf.exe	RegSvcs.exe
PID 2100 wrote to memory of 2500	2100	Overdue Account.pdf.exe	RegSvcs.exe
PID 2100 wrote to memory of 2500	2100	Overdue Account.pdf.exe	RegSvcs.exe
PID 2100 wrote to memory of 2500	2100	Overdue Account.pdf.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Overdue Account.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Overdue Account.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Overdue Account.pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kpSYqS.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kpSYqS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp646E.tmp"
2⤵
- Creates scheduled task(s)
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp646E.tmp
Filesize
1KB

MD5
7b8de2840316f86b9545bfca01d77c5d

SHA1
4aa58fa175872e8362a8c8c4bbea310153eb86b2

SHA256
870b0c30da768eedee29406f166af398d5a892e50e7d1074cd493a0efe5d07b0

SHA512
3297748881207e6a14328925e06df1e8577bb4fe0a579301ff6d20ac03fda74ba8f7c22b1741915255bb40762ad401c12bdce01e12996c67750262a343cab889

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P78O5EEC5UFIP1TUHX0S.temp
Filesize
7KB

MD5
316342d9caed64b8fe19c7f68b69b4e4

SHA1
135a4a49830852320794ca7dc22b11158fe7834e

SHA256
9795dd14758277eef9ee1e3fa59095be8f7b61fde2e78d65f49bf9288e2d27b8

SHA512
b1d53e4f0bbd21d4c6f6eb17775bf7cafbe89889537a9f6e75f86f648e5aa88a41895a8060eb8ba3251eb262c7bda27e592db42ff83ed4da34904088b6981c49

Download Submit
memory/2100-4-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2100-32-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/2100-0-0x0000000001210000-0x00000000012BA000-memory.dmp

Filesize
680KB

Download
memory/2100-5-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2100-6-0x0000000004EC0000-0x0000000004F42000-memory.dmp

Filesize
520KB

Download
memory/2100-2-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/2100-1-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/2100-3-0x00000000003B0000-0x00000000003C8000-memory.dmp

Filesize
96KB

Download
memory/2500-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads