agenttesla | 6fde7f531438d2122f5b9b31f9aca0d1fbbef59e20d73cf81eac9b6250dededc

General

Target

invoice CHN1080769.PDF.exe
Size

761KB
MD5

77c6015c8c679abe8cd11cb51125f6c9
SHA1

f9fd8a7f13b03480ae58622c228d6a6bb660f409
SHA256

63219f4d5975bf956a1c5c8b98011f721cfb1e2b4894c6ec9f5a94d77e2652e8
SHA512

510a8a2e2905eebd97bbda9e4cf183392b59aa18f9bb3278fed82fd10721ebc1ad06633992e6f4ee8b4eb64b4d89cf185aeab3b316d041ccb523c0d46110f52a
SSDEEP

12288:YzDn6yWn7fcpVZlu/6uHD73sYw0WJv1/wHiksaGdt8qmUMbpG/IinMkqFozGrCWW:sn698VVYHst0WrTkGrpm4/nMHvv/QO4v

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.shaktiinstrumentations.in
Port:
587
Username:
[email protected]
Password:
Shakti54231!@#$%#@!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2584 powershell.exe
2652 powershell.exe

pid	process
2584	powershell.exe
2652	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

invoice CHN1080769.PDF.exe

description pid process target process

PID 1608 set thread context of 2536 1608 invoice CHN1080769.PDF.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2052 schtasks.exe

description	pid	process	target process
PID 1608 set thread context of 2536	1608	invoice CHN1080769.PDF.exe	RegSvcs.exe

pid	process
2052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

invoice CHN1080769.PDF.exeRegSvcs.exepowershell.exepowershell.exe

pid	process
1608	invoice CHN1080769.PDF.exe
1608	invoice CHN1080769.PDF.exe
1608	invoice CHN1080769.PDF.exe
1608	invoice CHN1080769.PDF.exe
1608	invoice CHN1080769.PDF.exe
1608	invoice CHN1080769.PDF.exe
1608	invoice CHN1080769.PDF.exe
2536	RegSvcs.exe
2536	RegSvcs.exe
2584	powershell.exe
2652	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

invoice CHN1080769.PDF.exeRegSvcs.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1608	invoice CHN1080769.PDF.exe
Token: SeDebugPrivilege	2536	RegSvcs.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

invoice CHN1080769.PDF.exe

description	pid	process	target process
PID 1608 wrote to memory of 2584	1608	invoice CHN1080769.PDF.exe	powershell.exe
PID 1608 wrote to memory of 2584	1608	invoice CHN1080769.PDF.exe	powershell.exe
PID 1608 wrote to memory of 2584	1608	invoice CHN1080769.PDF.exe	powershell.exe
PID 1608 wrote to memory of 2584	1608	invoice CHN1080769.PDF.exe	powershell.exe
PID 1608 wrote to memory of 2652	1608	invoice CHN1080769.PDF.exe	powershell.exe
PID 1608 wrote to memory of 2652	1608	invoice CHN1080769.PDF.exe	powershell.exe
PID 1608 wrote to memory of 2652	1608	invoice CHN1080769.PDF.exe	powershell.exe
PID 1608 wrote to memory of 2652	1608	invoice CHN1080769.PDF.exe	powershell.exe
PID 1608 wrote to memory of 2052	1608	invoice CHN1080769.PDF.exe	schtasks.exe
PID 1608 wrote to memory of 2052	1608	invoice CHN1080769.PDF.exe	schtasks.exe
PID 1608 wrote to memory of 2052	1608	invoice CHN1080769.PDF.exe	schtasks.exe
PID 1608 wrote to memory of 2052	1608	invoice CHN1080769.PDF.exe	schtasks.exe
PID 1608 wrote to memory of 2536	1608	invoice CHN1080769.PDF.exe	RegSvcs.exe
PID 1608 wrote to memory of 2536	1608	invoice CHN1080769.PDF.exe	RegSvcs.exe
PID 1608 wrote to memory of 2536	1608	invoice CHN1080769.PDF.exe	RegSvcs.exe
PID 1608 wrote to memory of 2536	1608	invoice CHN1080769.PDF.exe	RegSvcs.exe
PID 1608 wrote to memory of 2536	1608	invoice CHN1080769.PDF.exe	RegSvcs.exe
PID 1608 wrote to memory of 2536	1608	invoice CHN1080769.PDF.exe	RegSvcs.exe
PID 1608 wrote to memory of 2536	1608	invoice CHN1080769.PDF.exe	RegSvcs.exe
PID 1608 wrote to memory of 2536	1608	invoice CHN1080769.PDF.exe	RegSvcs.exe
PID 1608 wrote to memory of 2536	1608	invoice CHN1080769.PDF.exe	RegSvcs.exe
PID 1608 wrote to memory of 2536	1608	invoice CHN1080769.PDF.exe	RegSvcs.exe
PID 1608 wrote to memory of 2536	1608	invoice CHN1080769.PDF.exe	RegSvcs.exe
PID 1608 wrote to memory of 2536	1608	invoice CHN1080769.PDF.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\invoice CHN1080769.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\invoice CHN1080769.PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\invoice CHN1080769.PDF.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ziQWPdVrQxk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ziQWPdVrQxk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp784B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp784B.tmp

Filesize
1KB

MD5
d3a0c6281ececf8168634388ee2b57b0

SHA1
5fbcd820e03899f0099e618f0c96f2b9b60b0b6b

SHA256
bee4b5db8c5a356f1413c5b15ce842d9fece0bf542a68daea7913335d4d43c8a

SHA512
1d13f9161049a9166f37f2e828923374e33aed23e093fc1e5e055b72c564a98916e3ce46e3264a5c48d65067e9ea08bb0a1e68165d30088c2f8c25c7eb9fda8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2e84b96bd6e9899cb2a22efd930cba3f

SHA1
dec31a2d34980904094b9dae3ae20c17eaddb7a8

SHA256
1b51002e1137b30d75cf80489cbba1a493e5edf2568d3c371956f969003210f2

SHA512
36e08f9aa11be8e10ee25c9a24321fb413fa41447e6aa0248606b4ca49d9d0e59abdc522cd37a85c704d4b85fc7b79917d7c07d98d36a0b6c0a4d310b22e5052

Download Submit
memory/1608-4-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/1608-3-0x00000000008A0000-0x00000000008C2000-memory.dmp

Filesize
136KB

Download
memory/1608-0-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/1608-5-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1608-6-0x0000000005830000-0x00000000058B4000-memory.dmp

Filesize
528KB

Download
memory/1608-2-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/1608-1-0x0000000000DE0000-0x0000000000EA0000-memory.dmp

Filesize
768KB

Download
memory/1608-19-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/1608-33-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2536-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2536-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2536-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2536-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2536-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2536-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2536-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads