agenttesla | 39fe44328453edb4688201f0d3c6c0d07baa65d92ee1c5e0ad496bc71d1b0c9b

General

Target

USD BANK DETAILS.PNG.exe
Size

670KB
MD5

41373fb609440bc4177a1db81e594b69
SHA1

d67b37e144112e75cea9aa32f3c29775c8cfe045
SHA256

39fe44328453edb4688201f0d3c6c0d07baa65d92ee1c5e0ad496bc71d1b0c9b
SHA512

bc7305c0375cb972ad151c4320704fef47c6f266d692ba44ce278e12e07b06030a0aa42593d5e68f2ce9ecb112543417eab883c9e0787b7cb17a415b4899313b
SSDEEP

12288:CCguti8LkpEatDtW4uBiCv4CFXuOkq9b6O9P7Q0NRUONkR:Fj4jEiWliCwwu8oYP7Q0NRUn

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.shaktiinstrumentations.in
Port:
587
Username:
[email protected]
Password:
Shakti54231!@#$%#@!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2564 powershell.exe
2512 powershell.exe

pid	process
2564	powershell.exe
2512	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

USD BANK DETAILS.PNG.exe

description pid process target process

PID 2276 set thread context of 2436 2276 USD BANK DETAILS.PNG.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2796 schtasks.exe

description	pid	process	target process
PID 2276 set thread context of 2436	2276	USD BANK DETAILS.PNG.exe	RegSvcs.exe

pid	process
2796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

USD BANK DETAILS.PNG.exeRegSvcs.exepowershell.exepowershell.exe

pid	process
2276	USD BANK DETAILS.PNG.exe
2276	USD BANK DETAILS.PNG.exe
2276	USD BANK DETAILS.PNG.exe
2276	USD BANK DETAILS.PNG.exe
2276	USD BANK DETAILS.PNG.exe
2276	USD BANK DETAILS.PNG.exe
2276	USD BANK DETAILS.PNG.exe
2436	RegSvcs.exe
2436	RegSvcs.exe
2512	powershell.exe
2564	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

USD BANK DETAILS.PNG.exeRegSvcs.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2276	USD BANK DETAILS.PNG.exe
Token: SeDebugPrivilege	2436	RegSvcs.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

USD BANK DETAILS.PNG.exe

description	pid	process	target process
PID 2276 wrote to memory of 2564	2276	USD BANK DETAILS.PNG.exe	powershell.exe
PID 2276 wrote to memory of 2564	2276	USD BANK DETAILS.PNG.exe	powershell.exe
PID 2276 wrote to memory of 2564	2276	USD BANK DETAILS.PNG.exe	powershell.exe
PID 2276 wrote to memory of 2564	2276	USD BANK DETAILS.PNG.exe	powershell.exe
PID 2276 wrote to memory of 2512	2276	USD BANK DETAILS.PNG.exe	powershell.exe
PID 2276 wrote to memory of 2512	2276	USD BANK DETAILS.PNG.exe	powershell.exe
PID 2276 wrote to memory of 2512	2276	USD BANK DETAILS.PNG.exe	powershell.exe
PID 2276 wrote to memory of 2512	2276	USD BANK DETAILS.PNG.exe	powershell.exe
PID 2276 wrote to memory of 2796	2276	USD BANK DETAILS.PNG.exe	schtasks.exe
PID 2276 wrote to memory of 2796	2276	USD BANK DETAILS.PNG.exe	schtasks.exe
PID 2276 wrote to memory of 2796	2276	USD BANK DETAILS.PNG.exe	schtasks.exe
PID 2276 wrote to memory of 2796	2276	USD BANK DETAILS.PNG.exe	schtasks.exe
PID 2276 wrote to memory of 2436	2276	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 2276 wrote to memory of 2436	2276	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 2276 wrote to memory of 2436	2276	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 2276 wrote to memory of 2436	2276	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 2276 wrote to memory of 2436	2276	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 2276 wrote to memory of 2436	2276	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 2276 wrote to memory of 2436	2276	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 2276 wrote to memory of 2436	2276	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 2276 wrote to memory of 2436	2276	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 2276 wrote to memory of 2436	2276	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 2276 wrote to memory of 2436	2276	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 2276 wrote to memory of 2436	2276	USD BANK DETAILS.PNG.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\USD BANK DETAILS.PNG.exe
"C:\Users\Admin\AppData\Local\Temp\USD BANK DETAILS.PNG.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\USD BANK DETAILS.PNG.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\waNwgSaPPjkOka.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\waNwgSaPPjkOka" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E36.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5E36.tmp

Filesize
1KB

MD5
ed9f5a6aebcf1c94a6a6abacf27ab5be

SHA1
8af93cb1201053182426d2cb03015840ef4cb1bd

SHA256
6d2ebd1b432cd4163ef564acc80770becb245a324db6730d2140e96df575d19b

SHA512
3d717fa582dbb6abdb1170538afed9c1d15bb388016ed7b6bfc11f64787204913312835aa5018a55dad90f042043862fbd0c79db5a4de6793c11f6560fb54454

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DOCRRVSLJBWZL53DEMTS.temp

Filesize
7KB

MD5
7c3c843a5e58e4dd27a502cfa3a143c7

SHA1
6db9d65db337350bed4e3e7e25bfb05dd1b9929e

SHA256
5e3eaf759bba8c717c31e765066c4a778d32633bc0f1a228be6e15d9cec325fc

SHA512
b7cdf4de633bc030bc6107e7071b6c0ba4387bf31754534e063e43ddb18c855a6ea19424aef623109490a13d904755abfe35d472574b968190aff7521b0df59a

Download Submit
memory/2276-30-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-1-0x0000000001170000-0x000000000121A000-memory.dmp

Filesize
680KB

Download
memory/2276-2-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-3-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/2276-4-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2276-5-0x0000000004970000-0x00000000049F4000-memory.dmp

Filesize
528KB

Download
memory/2276-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2436-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2436-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads