agenttesla | 3154656cabe028daaaa85185fe521658adf8e39c36578a21b609c47f19d5dce4

General

Target

URGENT REQUEST FOR QUOTATION.exe
Size

775KB
MD5

3fd59a26eb8f645ac1f88e2ec2a3137a
SHA1

eb5135dd863bcfefa4a8e9e2fbd686068d6354e4
SHA256

785b8115d62f971593bacb7ddf5e0f0fa03ad2d3a077b91c88de788ee83f62b9
SHA512

486d81f9f07bd156ad5f1bcf127e4484399f8d43d1a6cfb09919f0971b276477c8bb5e7debd43087739c8c462488804f299017a043916c88ffd2318ecf7559d0
SSDEEP

24576:IWtb3BEXqdGFXcEm5t3bpP0PHBU4Z1ZM3fyD:TZBEqGKEm5HEhT06D

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.springandsummer.lk
Port:
587
Username:
[email protected]
Password:
anu##323
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2516 powershell.exe
2508 powershell.exe

pid	process
2516	powershell.exe
2508	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

URGENT REQUEST FOR QUOTATION.exe

description pid process target process

PID 1724 set thread context of 2420 1724 URGENT REQUEST FOR QUOTATION.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2656 schtasks.exe

description	pid	process	target process
PID 1724 set thread context of 2420	1724	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe

pid	process
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

URGENT REQUEST FOR QUOTATION.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
1724	URGENT REQUEST FOR QUOTATION.exe
1724	URGENT REQUEST FOR QUOTATION.exe
1724	URGENT REQUEST FOR QUOTATION.exe
1724	URGENT REQUEST FOR QUOTATION.exe
1724	URGENT REQUEST FOR QUOTATION.exe
1724	URGENT REQUEST FOR QUOTATION.exe
2508	powershell.exe
2516	powershell.exe
1724	URGENT REQUEST FOR QUOTATION.exe
2420	RegSvcs.exe
2420	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

URGENT REQUEST FOR QUOTATION.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1724	URGENT REQUEST FOR QUOTATION.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2420	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

URGENT REQUEST FOR QUOTATION.exe

description	pid	process	target process
PID 1724 wrote to memory of 2508	1724	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1724 wrote to memory of 2508	1724	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1724 wrote to memory of 2508	1724	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1724 wrote to memory of 2508	1724	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1724 wrote to memory of 2516	1724	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1724 wrote to memory of 2516	1724	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1724 wrote to memory of 2516	1724	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1724 wrote to memory of 2516	1724	URGENT REQUEST FOR QUOTATION.exe	powershell.exe
PID 1724 wrote to memory of 2656	1724	URGENT REQUEST FOR QUOTATION.exe	schtasks.exe
PID 1724 wrote to memory of 2656	1724	URGENT REQUEST FOR QUOTATION.exe	schtasks.exe
PID 1724 wrote to memory of 2656	1724	URGENT REQUEST FOR QUOTATION.exe	schtasks.exe
PID 1724 wrote to memory of 2656	1724	URGENT REQUEST FOR QUOTATION.exe	schtasks.exe
PID 1724 wrote to memory of 2420	1724	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1724 wrote to memory of 2420	1724	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1724 wrote to memory of 2420	1724	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1724 wrote to memory of 2420	1724	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1724 wrote to memory of 2420	1724	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1724 wrote to memory of 2420	1724	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1724 wrote to memory of 2420	1724	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1724 wrote to memory of 2420	1724	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1724 wrote to memory of 2420	1724	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1724 wrote to memory of 2420	1724	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1724 wrote to memory of 2420	1724	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe
PID 1724 wrote to memory of 2420	1724	URGENT REQUEST FOR QUOTATION.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST FOR QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST FOR QUOTATION.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST FOR QUOTATION.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZYQQcPA.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZYQQcPA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A19.tmp"
2⤵
- Creates scheduled task(s)
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6A19.tmp
Filesize
1KB

MD5
c68467cf8a0e19de273d06e318d32045

SHA1
23ccf3b7cf76468fc6a8fd8d943a5c6c1c0368b8

SHA256
e2366cf2cbade2985c619049857b57794a2571a59a3a271a419920f1ed4a60c9

SHA512
df5cb83a4777998fba1c741e15de88ac2cdd0b0103a28123f0f016a642593d997f8e1b8563bf61199e924160cc8042c21786fe18bd3435974d6c740e37973adf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
d40a6df4277eccb8ca134eae98b5d799

SHA1
d96a207a0a8d36232a59fd2e65508aaa07189859

SHA256
1d030a97a34e4a53802101ff5f9b949410f76854357daa7775610916182778a5

SHA512
861985707be9d59f8a10dbb183480bf590269d6b4e0b405a3b2e76b87d0b45aeb2532e71640c71f27cb4d61e12aacfcff50ad03eb86b4035438d07690aa0cfc0

Download Submit
memory/1724-4-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/1724-32-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/1724-0-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/1724-5-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/1724-6-0x0000000005EB0000-0x0000000005F34000-memory.dmp

Filesize
528KB

Download
memory/1724-2-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/1724-1-0x0000000000840000-0x0000000000904000-memory.dmp

Filesize
784KB

Download
memory/1724-3-0x0000000000420000-0x0000000000442000-memory.dmp

Filesize
136KB

Download
memory/2420-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2420-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2420-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2420-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2420-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2420-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2420-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2420-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads