agenttesla | f3dbd53a7626f27b98eabb7aa8c42ffdcd5b93a382bf74476a05e94f20022160

General

Target

FDA.exe
Size

671KB
MD5

fd9af8f629d0d2e3e8cc132cdff97497
SHA1

1552f3db433eb345809069d011f2fb9684032738
SHA256

5d2b78785f719fda04cda095b4dfb75d00440fc39ab6e52d176a74786541bdaf
SHA512

227da1c0f9e83d3b0e757f269b32d617aec47990c5eb6f6787b6036951bab11f5f51051b1c56478fedc1bb8ae04de8404db5d67c437d4c5f20faa1645a77598e
SSDEEP

12288:y5B778QHjEpFzOiLqWEtkHyog+rUVHwP3yu1c2b2PIfQzk3bjzgtVlHxPpoTFqph:6BBiFz7LAkHDUVQPCu132csk3zybR+TS

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.vw-rmplcars.co.in
Port:
587
Username:
[email protected]
Password:
Gagan#456
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUIVTme = "C:\\Users\\Admin\\AppData\\Roaming\\GUIVTme\\GUIVTme.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

FDA.exe

description pid process target process

PID 2696 set thread context of 2408 2696 FDA.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2112 schtasks.exe

description	pid	process	target process
PID 2696 set thread context of 2408	2696	FDA.exe	RegSvcs.exe

pid	process
2112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

FDA.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
2696	FDA.exe
2696	FDA.exe
2696	FDA.exe
2696	FDA.exe
2696	FDA.exe
2696	FDA.exe
2568	powershell.exe
2620	powershell.exe
2696	FDA.exe
2408	RegSvcs.exe
2408	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

FDA.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2696	FDA.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2408	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

FDA.exe

description	pid	process	target process
PID 2696 wrote to memory of 2620	2696	FDA.exe	powershell.exe
PID 2696 wrote to memory of 2620	2696	FDA.exe	powershell.exe
PID 2696 wrote to memory of 2620	2696	FDA.exe	powershell.exe
PID 2696 wrote to memory of 2620	2696	FDA.exe	powershell.exe
PID 2696 wrote to memory of 2568	2696	FDA.exe	powershell.exe
PID 2696 wrote to memory of 2568	2696	FDA.exe	powershell.exe
PID 2696 wrote to memory of 2568	2696	FDA.exe	powershell.exe
PID 2696 wrote to memory of 2568	2696	FDA.exe	powershell.exe
PID 2696 wrote to memory of 2112	2696	FDA.exe	schtasks.exe
PID 2696 wrote to memory of 2112	2696	FDA.exe	schtasks.exe
PID 2696 wrote to memory of 2112	2696	FDA.exe	schtasks.exe
PID 2696 wrote to memory of 2112	2696	FDA.exe	schtasks.exe
PID 2696 wrote to memory of 2408	2696	FDA.exe	RegSvcs.exe
PID 2696 wrote to memory of 2408	2696	FDA.exe	RegSvcs.exe
PID 2696 wrote to memory of 2408	2696	FDA.exe	RegSvcs.exe
PID 2696 wrote to memory of 2408	2696	FDA.exe	RegSvcs.exe
PID 2696 wrote to memory of 2408	2696	FDA.exe	RegSvcs.exe
PID 2696 wrote to memory of 2408	2696	FDA.exe	RegSvcs.exe
PID 2696 wrote to memory of 2408	2696	FDA.exe	RegSvcs.exe
PID 2696 wrote to memory of 2408	2696	FDA.exe	RegSvcs.exe
PID 2696 wrote to memory of 2408	2696	FDA.exe	RegSvcs.exe
PID 2696 wrote to memory of 2408	2696	FDA.exe	RegSvcs.exe
PID 2696 wrote to memory of 2408	2696	FDA.exe	RegSvcs.exe
PID 2696 wrote to memory of 2408	2696	FDA.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\FDA.exe
"C:\Users\Admin\AppData\Local\Temp\FDA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FDA.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oziKUof.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oziKUof" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6AA5.tmp"
2⤵
- Creates scheduled task(s)
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6AA5.tmp
Filesize
1KB

MD5
bcdd42ac02dc85f24c09c02809d70694

SHA1
0a4ebdc655652a35008766b8d8b7b6501fd9a4b9

SHA256
ac8eea71a1c3861ea2f5d8e2f538303a86695e16a1c5321ca4d04aa32e05afb8

SHA512
e0187f4b8d5968f1d79a06e9c57a54552037635e424eb6357813025265ab06c9561322cd77bad5015325fbc49df94095fe18d2234168d456147ec7ec49ed7d4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
df5d8b27ee5732ba3f0767559a2d6c6c

SHA1
bdc4c69dc2d85e13bf5f2bbe1cb40626db140eaa

SHA256
ee3fb23d67ce5e8c3736355282c4a6947eb331e37d359be210838e0954f68dcc

SHA512
6a19e2539e5a9d5ecb57796124755e19267aa9be42fc9fdaa2af692a4b1afa88391bdf283e164e2d80a4dc96fd01d5a654de43b6ae0d887ec37dfa71d2ebe61c

Download Submit
memory/2408-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2408-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2408-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2408-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2408-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2408-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2408-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2408-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-4-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2696-6-0x0000000004700000-0x0000000004784000-memory.dmp

Filesize
528KB

Download
memory/2696-31-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2696-5-0x00000000006C0000-0x00000000006D6000-memory.dmp

Filesize
88KB

Download
memory/2696-0-0x0000000000030000-0x00000000000DA000-memory.dmp

Filesize
680KB

Download
memory/2696-3-0x0000000000690000-0x00000000006A8000-memory.dmp

Filesize
96KB

Download
memory/2696-2-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/2696-1-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads