agenttesla | 117e35edd9fa69ec27a43656fd7ddc5128b2a8e315d558d7d3a4cb6fdebd0a89

General

Target

SOA.exe
Size

668KB
MD5

1b3feb610357e53c06656f8f084b7fe8
SHA1

135db2eecfdf9ec9f9a0a8ee5efe777e0f68437c
SHA256

530b019d1e22535451dbefd997a09c85eeeaa313b114c67ab67329d5fe14e8fc
SHA512

1773aceba4bcf0ac857a26240d63b0d700cd4a2d56e4984f3c9479653601ff737a438e97b7abc75c640c9a82665092a4d751968b9a90ac25b5f5cc6d86526ff8
SSDEEP

12288:24B778Q+A/y4Zz/LQglOYiZmxjIw3jbOFu5mQf0MiZA+tlEXF4xAKkR:PB1/LMYiZ884guyN3QXF4WJ

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.vpindustries.co.in
Port:
587
Username:
[email protected]
Password:
saleS*9988
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SOA.exe

description pid process target process

PID 2224 set thread context of 2500 2224 SOA.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2756 schtasks.exe

description	pid	process	target process
PID 2224 set thread context of 2500	2224	SOA.exe	RegSvcs.exe

pid	process
2756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

SOA.exeRegSvcs.exepowershell.exepowershell.exe

pid	process
2224	SOA.exe
2224	SOA.exe
2224	SOA.exe
2224	SOA.exe
2224	SOA.exe
2224	SOA.exe
2224	SOA.exe
2500	RegSvcs.exe
2500	RegSvcs.exe
2668	powershell.exe
2724	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SOA.exeRegSvcs.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2224	SOA.exe
Token: SeDebugPrivilege	2500	RegSvcs.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

SOA.exe

description	pid	process	target process
PID 2224 wrote to memory of 2668	2224	SOA.exe	powershell.exe
PID 2224 wrote to memory of 2668	2224	SOA.exe	powershell.exe
PID 2224 wrote to memory of 2668	2224	SOA.exe	powershell.exe
PID 2224 wrote to memory of 2668	2224	SOA.exe	powershell.exe
PID 2224 wrote to memory of 2724	2224	SOA.exe	powershell.exe
PID 2224 wrote to memory of 2724	2224	SOA.exe	powershell.exe
PID 2224 wrote to memory of 2724	2224	SOA.exe	powershell.exe
PID 2224 wrote to memory of 2724	2224	SOA.exe	powershell.exe
PID 2224 wrote to memory of 2756	2224	SOA.exe	schtasks.exe
PID 2224 wrote to memory of 2756	2224	SOA.exe	schtasks.exe
PID 2224 wrote to memory of 2756	2224	SOA.exe	schtasks.exe
PID 2224 wrote to memory of 2756	2224	SOA.exe	schtasks.exe
PID 2224 wrote to memory of 2500	2224	SOA.exe	RegSvcs.exe
PID 2224 wrote to memory of 2500	2224	SOA.exe	RegSvcs.exe
PID 2224 wrote to memory of 2500	2224	SOA.exe	RegSvcs.exe
PID 2224 wrote to memory of 2500	2224	SOA.exe	RegSvcs.exe
PID 2224 wrote to memory of 2500	2224	SOA.exe	RegSvcs.exe
PID 2224 wrote to memory of 2500	2224	SOA.exe	RegSvcs.exe
PID 2224 wrote to memory of 2500	2224	SOA.exe	RegSvcs.exe
PID 2224 wrote to memory of 2500	2224	SOA.exe	RegSvcs.exe
PID 2224 wrote to memory of 2500	2224	SOA.exe	RegSvcs.exe
PID 2224 wrote to memory of 2500	2224	SOA.exe	RegSvcs.exe
PID 2224 wrote to memory of 2500	2224	SOA.exe	RegSvcs.exe
PID 2224 wrote to memory of 2500	2224	SOA.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOA.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RGziIWDEowC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RGziIWDEowC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB68.tmp"
2⤵
- Creates scheduled task(s)
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEB68.tmp
Filesize
1KB

MD5
c83c64799ea591ffda70c6738842bfab

SHA1
ea72613cf7d5713d51d484f9b3b37290c0bb673f

SHA256
4992e4f4ce13898c137b56fae6e0ae5c66bd68c0c3723e2def96d8005f07bfc6

SHA512
0a7f81d6beb4d1f81755f981f9aa4dc13c8f5463e2e572ded67fc45cf25cd96c652beea574e9061c071340a43ecad9ea3a361adc13e35423a7c0626a764dad25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
be77be0bb38cce9c75961bfa434de9c0

SHA1
1a908d1a2f201761fdd9c7b24d863c7beba9ac3c

SHA256
6ee24d39bd079f67e9f4c05312ecf87e14c0830fd30f4d693234d3665a72a6f4

SHA512
bbdcc548a020b33698ff8743ea72b930d72eefe70445e4dac944ce7f73c517a10fb273ca852588c13a431aa4a5be5b3b69ef60c32fa577898f97673f3559b747

Download Submit
memory/2224-4-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/2224-3-0x00000000004A0000-0x00000000004B8000-memory.dmp

Filesize
96KB

Download
memory/2224-0-0x0000000000E00000-0x0000000000EAA000-memory.dmp

Filesize
680KB

Download
memory/2224-5-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/2224-6-0x0000000004EA0000-0x0000000004F24000-memory.dmp

Filesize
528KB

Download
memory/2224-7-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-2-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/2224-1-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-33-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2500-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2500-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads