agenttesla | 2b48bf8b6d8366e4f7e6e03e5f799a8a115e06a3321fdab8f2e45cd6dee42d48

General

Target

DHL INVOICE.scr.exe
Size

1.2MB
MD5

8235a9078656e3e8a8b90657749faa5e
SHA1

77a1d0fa98939af1d551f90981b9793aa2fc8da3
SHA256

2b48bf8b6d8366e4f7e6e03e5f799a8a115e06a3321fdab8f2e45cd6dee42d48
SHA512

18bbf82bb6904739c78426c3e9d7e7a32e8e7908bb92cb10eb1d5360638722d5bd289814bb349b05741d35c4ff43489524504cd777c01050054f272e7078ceac
SSDEEP

24576:xw4bjw4biPl/hJxcpOUR9HsRia5T6yy7UHjR:xw4bjw4biPvSOEsYMOyEq

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.naveentour.com
Port:
587
Username:
[email protected]
Password:
nav!T6u2@001
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2512 powershell.exe
2580 powershell.exe

pid	process
2512	powershell.exe
2580	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL INVOICE.scr.exe

description pid process target process

PID 2012 set thread context of 2384 2012 DHL INVOICE.scr.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2800 schtasks.exe

description	pid	process	target process
PID 2012 set thread context of 2384	2012	DHL INVOICE.scr.exe	RegSvcs.exe

pid	process
2800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

DHL INVOICE.scr.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
2012	DHL INVOICE.scr.exe
2012	DHL INVOICE.scr.exe
2012	DHL INVOICE.scr.exe
2012	DHL INVOICE.scr.exe
2012	DHL INVOICE.scr.exe
2580	powershell.exe
2512	powershell.exe
2012	DHL INVOICE.scr.exe
2384	RegSvcs.exe
2384	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

DHL INVOICE.scr.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2012	DHL INVOICE.scr.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2384	RegSvcs.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

DHL INVOICE.scr.exe

description	pid	process	target process
PID 2012 wrote to memory of 2580	2012	DHL INVOICE.scr.exe	powershell.exe
PID 2012 wrote to memory of 2580	2012	DHL INVOICE.scr.exe	powershell.exe
PID 2012 wrote to memory of 2580	2012	DHL INVOICE.scr.exe	powershell.exe
PID 2012 wrote to memory of 2580	2012	DHL INVOICE.scr.exe	powershell.exe
PID 2012 wrote to memory of 2512	2012	DHL INVOICE.scr.exe	powershell.exe
PID 2012 wrote to memory of 2512	2012	DHL INVOICE.scr.exe	powershell.exe
PID 2012 wrote to memory of 2512	2012	DHL INVOICE.scr.exe	powershell.exe
PID 2012 wrote to memory of 2512	2012	DHL INVOICE.scr.exe	powershell.exe
PID 2012 wrote to memory of 2800	2012	DHL INVOICE.scr.exe	schtasks.exe
PID 2012 wrote to memory of 2800	2012	DHL INVOICE.scr.exe	schtasks.exe
PID 2012 wrote to memory of 2800	2012	DHL INVOICE.scr.exe	schtasks.exe
PID 2012 wrote to memory of 2800	2012	DHL INVOICE.scr.exe	schtasks.exe
PID 2012 wrote to memory of 2448	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2448	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2448	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2448	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2448	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2448	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2448	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2384	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2384	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2384	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2384	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2384	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2384	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2384	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2384	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2384	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2384	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2384	2012	DHL INVOICE.scr.exe	RegSvcs.exe
PID 2012 wrote to memory of 2384	2012	DHL INVOICE.scr.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\DHL INVOICE.scr.exe
"C:\Users\Admin\AppData\Local\Temp\DHL INVOICE.scr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL INVOICE.scr.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rjHjDRImY.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjHjDRImY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6316.tmp"
2⤵
- Creates scheduled task(s)
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6316.tmp

Filesize
1KB

MD5
0f83da33fcf518f3437c328b26ec3fd2

SHA1
107ae7d3a18f80369e059e6a974a1a662e09e61d

SHA256
6c947af67b897557f377de666cd75313e73c7c49c630ffa4d1ffab5f63221773

SHA512
31612d4e0febb9cfcfabd43e1f854449b00dc4413a452bdc3727a8e37365c23b4df250534f9c0ac337774609cfbc859f58ea231f38e386b68c72078c1d580730

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5165976ebb9a46e8cba8e91caf97efeb

SHA1
db67be55f5b27afba8da531b60b94bfeece41f5d

SHA256
5988b5d15389f079c05dbe71aba03f5221ec16118b5a7e10a8640d920954f345

SHA512
e1cb6d5aeaa8f3317119f33963745ff7896e72c46e1b6fdefe7e4bc68bd926530bf997297be3bfcfe268b20672ce649177cc8abd17f5efbcc133a7fe556268ab

Download Submit
memory/2012-31-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download
memory/2012-1-0x0000000001150000-0x000000000127E000-memory.dmp

Filesize
1.2MB

Download
memory/2012-3-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download
memory/2012-2-0x0000000000A70000-0x0000000000A8A000-memory.dmp

Filesize
104KB

Download
memory/2012-4-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2012-5-0x0000000005560000-0x00000000055E2000-memory.dmp

Filesize
520KB

Download
memory/2012-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

Filesize
4KB

Download
memory/2384-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2384-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads