agenttesla | c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa

General

Target

c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
Size

696KB
MD5

7ad71dff280a152a659a3e6533f782ad
SHA1

8a31b1faefa6ba58b3f244455f2eefc9b90cfc59
SHA256

c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa
SHA512

8311c1013ae0e516d1ca4ea8af2103f68dfebcc649b2170f3008c5575dc46e702b070182a34a58fd40a6747a2352a3a60d1fa06f8aee8468ee7cd148ad77896f
SSDEEP

12288:j+DbgnB778QeV4PEa67uYDjXwp4h77B4N8K8q1hrWDQM+/ED:qgnB25DDzF77BK1haDtf

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.hliaka.gr
Port:
587
Username:
[email protected]
Password:
!@#hliaka@hliaka!@#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe

description	pid	process	target process
PID 2184 set thread context of 2376	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1652 schtasks.exe

pid	process
1652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exec73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exepowershell.exepowershell.exe

pid	process
2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
2376	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
2376	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
1208	powershell.exe
2528	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exec73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
Token: SeDebugPrivilege	2376	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe

description	pid	process	target process
PID 2184 wrote to memory of 2528	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	powershell.exe
PID 2184 wrote to memory of 2528	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	powershell.exe
PID 2184 wrote to memory of 2528	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	powershell.exe
PID 2184 wrote to memory of 2528	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	powershell.exe
PID 2184 wrote to memory of 1208	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	powershell.exe
PID 2184 wrote to memory of 1208	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	powershell.exe
PID 2184 wrote to memory of 1208	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	powershell.exe
PID 2184 wrote to memory of 1208	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	powershell.exe
PID 2184 wrote to memory of 1652	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	schtasks.exe
PID 2184 wrote to memory of 1652	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	schtasks.exe
PID 2184 wrote to memory of 1652	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	schtasks.exe
PID 2184 wrote to memory of 1652	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	schtasks.exe
PID 2184 wrote to memory of 2376	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
PID 2184 wrote to memory of 2376	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
PID 2184 wrote to memory of 2376	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
PID 2184 wrote to memory of 2376	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
PID 2184 wrote to memory of 2376	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
PID 2184 wrote to memory of 2376	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
PID 2184 wrote to memory of 2376	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
PID 2184 wrote to memory of 2376	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
PID 2184 wrote to memory of 2376	2184	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe	c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe

C:\Users\Admin\AppData\Local\Temp\c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
"C:\Users\Admin\AppData\Local\Temp\c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bheCYnawNhl.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bheCYnawNhl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp38BC.tmp"
2⤵
- Creates scheduled task(s)
PID:1652

C:\Users\Admin\AppData\Local\Temp\c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe
"C:\Users\Admin\AppData\Local\Temp\c73fabf4588d66f7394e905664c556cb7afd12bd9e05481576c3a97db33c2afa.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp38BC.tmp
Filesize
1KB

MD5
1d562a8ebd84d25a03c15193ef176ac8

SHA1
a8bc134c29be67b13009e14d1097916fca2b01f8

SHA256
4e4188f4d8dac57106a08b0157cc054dc099b665134fdac53005d701b588e5bc

SHA512
5c7cca00f381a3ddffea54375d1a6066886fa77bfa826643f581da7b4d926149ba3b6275a3c08936bd5aff8a1b325707a98f080f0dd7c1e449a02aa0a5417f19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
ab903161c52efc0ddbf8d0f95c6b04e1

SHA1
76a829cb66f2386c3e54f74b6ed2a487ddfad384

SHA256
f728a9940891aef891a6a85fe03e6ae3aa77c01cfa1d21891491cac02de93a72

SHA512
5347b7c261714caa6d8371cb751f23ab7df8c65017d79434e42718d3ccb817271d3e48b7ae509f7023ed25ae889cf847e2d63b4557ab7348f74865bacad83e7f

Download Submit
memory/2184-4-0x0000000000700000-0x000000000070E000-memory.dmp

Filesize
56KB

Download
memory/2184-31-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-0-0x0000000000F50000-0x0000000001004000-memory.dmp

Filesize
720KB

Download
memory/2184-5-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download
memory/2184-6-0x00000000047C0000-0x0000000004844000-memory.dmp

Filesize
528KB

Download
memory/2184-2-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/2184-1-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-3-0x0000000000690000-0x00000000006A8000-memory.dmp

Filesize
96KB

Download
memory/2376-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2376-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads