agenttesla | 3154656cabe028daaaa85185fe521658adf8e39c36578a21b609c47f19d5dce4

General

Target

URGENT REQUEST FOR QUOTATION.exe
Size

775KB
MD5

3fd59a26eb8f645ac1f88e2ec2a3137a
SHA1

eb5135dd863bcfefa4a8e9e2fbd686068d6354e4
SHA256

785b8115d62f971593bacb7ddf5e0f0fa03ad2d3a077b91c88de788ee83f62b9
SHA512

486d81f9f07bd156ad5f1bcf127e4484399f8d43d1a6cfb09919f0971b276477c8bb5e7debd43087739c8c462488804f299017a043916c88ffd2318ecf7559d0
SSDEEP

24576:IWtb3BEXqdGFXcEm5t3bpP0PHBU4Z1ZM3fyD:TZBEqGKEm5HEhT06D

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.springandsummer.lk
Port:
587
Username:
[email protected]
Password:
anu##323
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2516-29-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2516-31-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2516-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2516-25-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2516-23-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2516-29-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2516-31-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2516-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2516-25-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2516-23-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2516-29-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2516-31-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2516-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2516-25-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2516-23-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2516-29-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2516-31-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2516-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2516-25-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2516-23-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2516-29-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2516-31-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2516-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2516-25-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2516-23-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2516-29-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2516-31-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2516-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2516-25-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2516-23-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2064 powershell.exe
2612 powershell.exe

pid	process
2064	powershell.exe
2612	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

URGENT REQUEST FOR QUOTATION.exe

description pid process target process

PID 1584 set thread context of 2516 1584 URGENT REQUEST FOR QUOTATION.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2652 schtasks.exe

description	pid	process	target process
PID 1584 set thread context of 2516	1584	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe

pid	process
2652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

URGENT REQUEST FOR QUOTATION.exeRegSvcs.exepowershell.exepowershell.exe

pid	process
1584	URGENT REQUEST FOR QUOTATION.exe
1584	URGENT REQUEST FOR QUOTATION.exe
1584	URGENT REQUEST FOR QUOTATION.exe
1584	URGENT REQUEST FOR QUOTATION.exe
1584	URGENT REQUEST FOR QUOTATION.exe
1584	URGENT REQUEST FOR QUOTATION.exe
1584	URGENT REQUEST FOR QUOTATION.exe
2516	RegSvcs.exe
2516	RegSvcs.exe
2064	powershell.exe
2612	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

URGENT REQUEST FOR QUOTATION.exeRegSvcs.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1584	URGENT REQUEST FOR QUOTATION.exe
Token: SeDebugPrivilege	2516	RegSvcs.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

URGENT REQUEST FOR QUOTATION.exe

description	pid	process	target process
PID 1584 wrote to memory of 2064	1584	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1584 wrote to memory of 2064	1584	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1584 wrote to memory of 2064	1584	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1584 wrote to memory of 2064	1584	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1584 wrote to memory of 2612	1584	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1584 wrote to memory of 2612	1584	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1584 wrote to memory of 2612	1584	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1584 wrote to memory of 2612	1584	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1584 wrote to memory of 2652	1584	URGENT REQUEST FOR QUOTATION.exe	schtasks.exe
PID 1584 wrote to memory of 2652	1584	URGENT REQUEST FOR QUOTATION.exe	schtasks.exe
PID 1584 wrote to memory of 2652	1584	URGENT REQUEST FOR QUOTATION.exe	schtasks.exe
PID 1584 wrote to memory of 2652	1584	URGENT REQUEST FOR QUOTATION.exe	schtasks.exe
PID 1584 wrote to memory of 2516	1584	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1584 wrote to memory of 2516	1584	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1584 wrote to memory of 2516	1584	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1584 wrote to memory of 2516	1584	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1584 wrote to memory of 2516	1584	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1584 wrote to memory of 2516	1584	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1584 wrote to memory of 2516	1584	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1584 wrote to memory of 2516	1584	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1584 wrote to memory of 2516	1584	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1584 wrote to memory of 2516	1584	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1584 wrote to memory of 2516	1584	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1584 wrote to memory of 2516	1584	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST FOR QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST FOR QUOTATION.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST FOR QUOTATION.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZYQQcPA.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZYQQcPA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp694E.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp694E.tmp

Filesize
1KB

MD5
c5ba968d26452f3db91ea9c7737f3d85

SHA1
6d802f9201b62aca2a520f10541fa75d26862b1b

SHA256
e01e67b7f29fa88bef7fc4286996f4644eb78f90a3f74fb865f1a5b1aa4c5fd6

SHA512
b2171f600c0006628d19611d0a9cc20086a5c9b037232afcf5d386c87e41fa3a3047d948d4a8eb9b90ae20bf6eb6605ebb9f552be14b6390c8138564ba6c512d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
48b5300255838a8f48792beaebbedb5a

SHA1
2d86be178b7ab1cc1098acc783c96e0a0d353dc0

SHA256
963a19b15d410d236c233e87ace9c8682563a46fa74555ba08bf6dd6d9fc9516

SHA512
123779ebbfaca5130c233e29d4f032868e1a5781c0dd47f87da175df92362731a740b2c5a67fcb0065bd48532e55efd5a64cdfd25417018ec53ccdbdbf048545

Download Submit
memory/1584-4-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/1584-32-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1584-0-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/1584-5-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1584-6-0x000000000D290000-0x000000000D314000-memory.dmp

Filesize
528KB

Download
memory/1584-2-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1584-1-0x0000000000A80000-0x0000000000B44000-memory.dmp

Filesize
784KB

Download
memory/1584-3-0x0000000000410000-0x0000000000432000-memory.dmp

Filesize
136KB

Download
memory/2516-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2516-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2516-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2516-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2516-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2516-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2516-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2516-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads