agenttesla | ad9fd8dbec8d71d3ef7b1ae8b2882b986b1f6b0a9de791d0693ebf551ada676a

General

Target

New order from CoreSystem Technology Limited.exe
Size

774KB
MD5

bea4d8667895e1b7583db6681f4015c2
SHA1

539e45783a3646fa32c5ad256fda8e7d7decf69d
SHA256

ad9fd8dbec8d71d3ef7b1ae8b2882b986b1f6b0a9de791d0693ebf551ada676a
SHA512

70250c94f648819de84a9a7634232fa8e5841e1331b649b1771eb5fc20dc90014a35757d90e4534f4c41ee4df3e9cc239ffcb598dd1f8ac2a66bcc643a4efa0c
SSDEEP

12288:zI8WET/mr9K+22BEEzFatnomOODVpgOVTp4YjzXGRLHVHpt+eQ2wREzItcYcegm9:5Wtb3BEuYFTp4WIL1HJLmEUtU/myA

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.springandsummer.lk
Port:
587
Username:
[email protected]
Password:
anu##323
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2876	powershell.exe
2600	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 2508	3028	New order from CoreSystem Technology Limited.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3028	New order from CoreSystem Technology Limited.exe
3028	New order from CoreSystem Technology Limited.exe
3028	New order from CoreSystem Technology Limited.exe
3028	New order from CoreSystem Technology Limited.exe
3028	New order from CoreSystem Technology Limited.exe
3028	New order from CoreSystem Technology Limited.exe
3028	New order from CoreSystem Technology Limited.exe
2508	RegSvcs.exe
2508	RegSvcs.exe
2600	powershell.exe
2876	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	New order from CoreSystem Technology Limited.exe
Token: SeDebugPrivilege	2508	RegSvcs.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2600	3028	New order from CoreSystem Technology Limited.exe	28
PID 3028 wrote to memory of 2600	3028	New order from CoreSystem Technology Limited.exe	28
PID 3028 wrote to memory of 2600	3028	New order from CoreSystem Technology Limited.exe	28
PID 3028 wrote to memory of 2600	3028	New order from CoreSystem Technology Limited.exe	28
PID 3028 wrote to memory of 2876	3028	New order from CoreSystem Technology Limited.exe	30
PID 3028 wrote to memory of 2876	3028	New order from CoreSystem Technology Limited.exe	30
PID 3028 wrote to memory of 2876	3028	New order from CoreSystem Technology Limited.exe	30
PID 3028 wrote to memory of 2876	3028	New order from CoreSystem Technology Limited.exe	30
PID 3028 wrote to memory of 2864	3028	New order from CoreSystem Technology Limited.exe	32
PID 3028 wrote to memory of 2864	3028	New order from CoreSystem Technology Limited.exe	32
PID 3028 wrote to memory of 2864	3028	New order from CoreSystem Technology Limited.exe	32
PID 3028 wrote to memory of 2864	3028	New order from CoreSystem Technology Limited.exe	32
PID 3028 wrote to memory of 2508	3028	New order from CoreSystem Technology Limited.exe	34
PID 3028 wrote to memory of 2508	3028	New order from CoreSystem Technology Limited.exe	34
PID 3028 wrote to memory of 2508	3028	New order from CoreSystem Technology Limited.exe	34
PID 3028 wrote to memory of 2508	3028	New order from CoreSystem Technology Limited.exe	34
PID 3028 wrote to memory of 2508	3028	New order from CoreSystem Technology Limited.exe	34
PID 3028 wrote to memory of 2508	3028	New order from CoreSystem Technology Limited.exe	34
PID 3028 wrote to memory of 2508	3028	New order from CoreSystem Technology Limited.exe	34
PID 3028 wrote to memory of 2508	3028	New order from CoreSystem Technology Limited.exe	34
PID 3028 wrote to memory of 2508	3028	New order from CoreSystem Technology Limited.exe	34
PID 3028 wrote to memory of 2508	3028	New order from CoreSystem Technology Limited.exe	34
PID 3028 wrote to memory of 2508	3028	New order from CoreSystem Technology Limited.exe	34
PID 3028 wrote to memory of 2508	3028	New order from CoreSystem Technology Limited.exe	34

C:\Users\Admin\AppData\Local\Temp\New order from CoreSystem Technology Limited.exe
"C:\Users\Admin\AppData\Local\Temp\New order from CoreSystem Technology Limited.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New order from CoreSystem Technology Limited.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BPwwHhZJvK.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BPwwHhZJvK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp67E7.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp67E7.tmp

Filesize
1KB

MD5
4a4386fb6ae441135599089847116266

SHA1
32905ca0b72a746d1c8270d6b05b65f80bf07dfb

SHA256
e110284821ba96690ae89429f886dc78cfea3d7ec3503a643c73f6ff6b01850f

SHA512
0714177850bfe297b4bbb8fe746d58685de4f991c6c2a21c8590ea2ef05e6b1d2177563b16acbf262fe76369699ef4ab8d682412ecc9ea7ff93846f484e78361

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SM7EP8YWHY9ATIE0S2RM.temp

Filesize
7KB

MD5
0ee1010758dc0b8be205149d2003fe40

SHA1
2edaccb8a4a6edb544b483cbf544cfb77a8b8cfc

SHA256
9518fbccbd2978ec2aa05ac2055669082cff93e6e4d56a2ca78420eb203e7db3

SHA512
96fceac30d2154ada4093d9bfb88e0efb00c7b067bbf9d115078542c58b3d634049bd2672b2de3a26b0250301d2f34a88bdbad879e7f6b58729a39a6bc7727c8

Download Submit
memory/2508-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2508-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2508-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2508-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2508-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2508-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2508-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2508-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3028-6-0x000000000D140000-0x000000000D1C4000-memory.dmp

Filesize
528KB

Download
memory/3028-1-0x0000000000030000-0x00000000000F4000-memory.dmp

Filesize
784KB

Download
memory/3028-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

Filesize
4KB

Download
memory/3028-2-0x0000000074BB0000-0x000000007529E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-3-0x00000000005A0000-0x00000000005C2000-memory.dmp

Filesize
136KB

Download
memory/3028-5-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/3028-4-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/3028-32-0x0000000074BB0000-0x000000007529E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads