agenttesla | 5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428

General

Target

5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe
Size

757KB
MD5

0a95f584a5fa1e73932098f76bd1c2b7
SHA1

5b0ace847dbb4fbbab8ce5b6af86dc7cf086eb2f
SHA256

5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428
SHA512

8ce792036b33a1cf58b348d1f20bd34843c2f941dc425a37cf03abbe6b61b7c3ecdbec7e597c72a97083126159e8bdb8e70c763a5207b2ea8d5c44035bbc6e61
SSDEEP

12288:+zUY6yWn7fcpVZlu/6uHa+AsFFIlUUfO2QWiPnKEyTKoRkGfpxXQSztqTn+x3n1B:NY698VVYXASFuDfhQWiP7chhxXfZFZjt

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.simnu.com
Port:
587
Username:
[email protected]
Password:
L3tM31n*#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2600 powershell.exe
2280 powershell.exe

pid	process
2600	powershell.exe
2280	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe

description	pid	process	target process
PID 1976 set thread context of 2920	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2616 schtasks.exe

pid	process
2616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exeRegSvcs.exepowershell.exepowershell.exe

pid	process
1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe
1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe
1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe
1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe
1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe
1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe
1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe
2920	RegSvcs.exe
2920	RegSvcs.exe
2600	powershell.exe
2280	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exeRegSvcs.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe
Token: SeDebugPrivilege	2920	RegSvcs.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe

description	pid	process	target process
PID 1976 wrote to memory of 2600	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	powershell.exe
PID 1976 wrote to memory of 2600	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	powershell.exe
PID 1976 wrote to memory of 2600	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	powershell.exe
PID 1976 wrote to memory of 2600	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	powershell.exe
PID 1976 wrote to memory of 2280	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	powershell.exe
PID 1976 wrote to memory of 2280	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	powershell.exe
PID 1976 wrote to memory of 2280	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	powershell.exe
PID 1976 wrote to memory of 2280	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	powershell.exe
PID 1976 wrote to memory of 2616	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	schtasks.exe
PID 1976 wrote to memory of 2616	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	schtasks.exe
PID 1976 wrote to memory of 2616	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	schtasks.exe
PID 1976 wrote to memory of 2616	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	schtasks.exe
PID 1976 wrote to memory of 2920	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	RegSvcs.exe
PID 1976 wrote to memory of 2920	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	RegSvcs.exe
PID 1976 wrote to memory of 2920	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	RegSvcs.exe
PID 1976 wrote to memory of 2920	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	RegSvcs.exe
PID 1976 wrote to memory of 2920	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	RegSvcs.exe
PID 1976 wrote to memory of 2920	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	RegSvcs.exe
PID 1976 wrote to memory of 2920	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	RegSvcs.exe
PID 1976 wrote to memory of 2920	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	RegSvcs.exe
PID 1976 wrote to memory of 2920	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	RegSvcs.exe
PID 1976 wrote to memory of 2920	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	RegSvcs.exe
PID 1976 wrote to memory of 2920	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	RegSvcs.exe
PID 1976 wrote to memory of 2920	1976	5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe
"C:\Users\Admin\AppData\Local\Temp\5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5a67c4033d44cc5251ba0f360d2bfd573fdcb073293f555f82002d67971e3428.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDzcAdPdRfGo.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDzcAdPdRfGo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F47.tmp"
2⤵
- Creates scheduled task(s)
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6F47.tmp

Filesize
1KB

MD5
ebbbc5a5f354ae604d340a51b8c3249a

SHA1
a89a70f9e9700a5ebec0c1c9c0551d1863824cca

SHA256
54388353ecbf8fbc76f663bb6423c50583bd750c784e9180fd23da91fcd024b3

SHA512
727be7aaf377cb8cf5fef9fd47ce799d64dd893160a4a408e688c07c7cc52355a81e3cfb893ec208cab9b6c7091652547504d183298488849e7b57e5beccfe21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9f1bf4081cae0cca32cf1511c64317d9

SHA1
c7b505b53c8529eff99f1641f038d86e2f41ed70

SHA256
b969fd7355a7dd0972e029a16fd5735ee77656fecbd466a98faaf164a654ece2

SHA512
6c68dc0c5666741b6ee744ce1f002d201316f49f51e4245e01d9a4447c7a36cd24d0f82d38085a549b763a6cd3cb1354aae5830fce8b157a7a5a41e4d9b4dc10

Download Submit
memory/1976-4-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/1976-31-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/1976-0-0x00000000740DE000-0x00000000740DF000-memory.dmp

Filesize
4KB

Download
memory/1976-5-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/1976-6-0x0000000004EE0000-0x0000000004F62000-memory.dmp

Filesize
520KB

Download
memory/1976-2-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/1976-1-0x0000000000AF0000-0x0000000000BAE000-memory.dmp

Filesize
760KB

Download
memory/1976-3-0x00000000005D0000-0x00000000005F2000-memory.dmp

Filesize
136KB

Download
memory/2920-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads