agenttesla | 871ae800103263eba6b125c860687fb668e67eb23fc3bcfb59d93600f31af9de

General

Target

BL_Docs_April29.exe
Size

712KB
MD5

821b50ff336504c74840dc7d66a02a96
SHA1

aaa9215c4fbea8825d1920540639378955e62fa1
SHA256

d92ba5974de2d71b7dade685562677a4bb5727e3456660cebabb084e14b8ad1d
SHA512

4257d2a0a2601aaeeedcb58f561bd1a1bdea587bb4fbd047bc3c1c0a5e7a75c13a891c4f73eceddec2193640680db184cc411c5db0b9f83483d02e8f17e9b2f1
SSDEEP

12288:q+DbgHB778QehnU6tE+NBG90ex9//aTm4ZSXNR/XrRg67yyFjfbNTzLgkR:rgHBIU6tE+q95xt/ay4iXru6GyFjfbNr

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
zqamcx.com
Port:
587
Username:
[email protected]
Password:
Methodman991
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

BL_Docs_April29.exe

description pid process target process

PID 1936 set thread context of 2464 1936 BL_Docs_April29.exe BL_Docs_April29.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2500 schtasks.exe

description	pid	process	target process
PID 1936 set thread context of 2464	1936	BL_Docs_April29.exe	BL_Docs_April29.exe

pid	process
2500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

BL_Docs_April29.exeBL_Docs_April29.exepowershell.exepowershell.exe

pid	process
1936	BL_Docs_April29.exe
1936	BL_Docs_April29.exe
1936	BL_Docs_April29.exe
1936	BL_Docs_April29.exe
1936	BL_Docs_April29.exe
1936	BL_Docs_April29.exe
1936	BL_Docs_April29.exe
1936	BL_Docs_April29.exe
1936	BL_Docs_April29.exe
2464	BL_Docs_April29.exe
2464	BL_Docs_April29.exe
2636	powershell.exe
2540	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

BL_Docs_April29.exeBL_Docs_April29.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1936	BL_Docs_April29.exe
Token: SeDebugPrivilege	2464	BL_Docs_April29.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BL_Docs_April29.exe

pid process

2464 BL_Docs_April29.exe

pid	process
2464	BL_Docs_April29.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

BL_Docs_April29.exe

description	pid	process	target process
PID 1936 wrote to memory of 2540	1936	BL_Docs_April29.exe	powershell.exe
PID 1936 wrote to memory of 2540	1936	BL_Docs_April29.exe	powershell.exe
PID 1936 wrote to memory of 2540	1936	BL_Docs_April29.exe	powershell.exe
PID 1936 wrote to memory of 2540	1936	BL_Docs_April29.exe	powershell.exe
PID 1936 wrote to memory of 2636	1936	BL_Docs_April29.exe	powershell.exe
PID 1936 wrote to memory of 2636	1936	BL_Docs_April29.exe	powershell.exe
PID 1936 wrote to memory of 2636	1936	BL_Docs_April29.exe	powershell.exe
PID 1936 wrote to memory of 2636	1936	BL_Docs_April29.exe	powershell.exe
PID 1936 wrote to memory of 2500	1936	BL_Docs_April29.exe	schtasks.exe
PID 1936 wrote to memory of 2500	1936	BL_Docs_April29.exe	schtasks.exe
PID 1936 wrote to memory of 2500	1936	BL_Docs_April29.exe	schtasks.exe
PID 1936 wrote to memory of 2500	1936	BL_Docs_April29.exe	schtasks.exe
PID 1936 wrote to memory of 2464	1936	BL_Docs_April29.exe	BL_Docs_April29.exe
PID 1936 wrote to memory of 2464	1936	BL_Docs_April29.exe	BL_Docs_April29.exe
PID 1936 wrote to memory of 2464	1936	BL_Docs_April29.exe	BL_Docs_April29.exe
PID 1936 wrote to memory of 2464	1936	BL_Docs_April29.exe	BL_Docs_April29.exe
PID 1936 wrote to memory of 2464	1936	BL_Docs_April29.exe	BL_Docs_April29.exe
PID 1936 wrote to memory of 2464	1936	BL_Docs_April29.exe	BL_Docs_April29.exe
PID 1936 wrote to memory of 2464	1936	BL_Docs_April29.exe	BL_Docs_April29.exe
PID 1936 wrote to memory of 2464	1936	BL_Docs_April29.exe	BL_Docs_April29.exe
PID 1936 wrote to memory of 2464	1936	BL_Docs_April29.exe	BL_Docs_April29.exe

C:\Users\Admin\AppData\Local\Temp\BL_Docs_April29.exe
"C:\Users\Admin\AppData\Local\Temp\BL_Docs_April29.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BL_Docs_April29.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oPDGvBL.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oPDGvBL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7723.tmp"
2⤵
- Creates scheduled task(s)
PID:2500

C:\Users\Admin\AppData\Local\Temp\BL_Docs_April29.exe
"C:\Users\Admin\AppData\Local\Temp\BL_Docs_April29.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

4

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7723.tmp
Filesize
1KB

MD5
ea804a037427e1da235fd23516c8956c

SHA1
3cb608e5af009cc9f915864dd23fa0eeb93fc0f2

SHA256
4d73ac4fcdb2c7e0c77bdb3efbfedbdd8c5ddcd7709fccf17ebe539a7616cd37

SHA512
688fbe51355fc695252a2a0cdb526ded1483855759cf6cf0c130dd3168a7a1f562ae7b3e85319389ec64a9a2ff267cbe26733d3d3975c8eb1d7451a94bf99666

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q5KMN943C77263LOQ8UY.temp
Filesize
7KB

MD5
2246079be59e2b62ac063d90e43de480

SHA1
333666e95844cd8a7c3c50e332481a0a374b3871

SHA256
f1ab0970aa2860685c11207c7d8a20f086f889cc293a530068b5939fb5e86258

SHA512
e95e3bc8c24b6d7db7b283ad190cd40cd038363148716cb29afed510dc01a9d421ea057e290c525cab3eca77e4c58f5244355d5573c3f27b1ef45184965b7c28

Download Submit
memory/1936-5-0x0000000000BD0000-0x0000000000BE6000-memory.dmp

Filesize
88KB

Download
memory/1936-34-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/1936-4-0x0000000000B80000-0x0000000000B8E000-memory.dmp

Filesize
56KB

Download
memory/1936-0-0x0000000000D40000-0x0000000000DF6000-memory.dmp

Filesize
728KB

Download
memory/1936-6-0x0000000004BC0000-0x0000000004C44000-memory.dmp

Filesize
528KB

Download
memory/1936-7-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/1936-8-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/1936-2-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/1936-1-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/1936-3-0x00000000009A0000-0x00000000009B8000-memory.dmp

Filesize
96KB

Download
memory/2464-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2464-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads