agenttesla | 237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1

General

Target

237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe
Size

666KB
MD5

a6bc6bce06415a0e0521552c83a1a056
SHA1

78ac06f9b255cd527a81acf5f2a58730fb1f7240
SHA256

237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1
SHA512

f9ca3ad37732c05cbcf0d00581b87829d9381c18dbbc6798592cf3856513fa7e914f3c3a184efae60bbee76d743c3f4478592cd0d0da89f500c975d0299c6be5
SSDEEP

12288:Sn2vyqCT693Ax2LFJ3xoUM7NilLv912x8o/+BE/7orHrAB5mej4s:SiPCT69Qx2hBx47aPoTSEjOHrA/y

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ap-northeast-1.sftpcloud.io
Port:
21
Username:
d6b6a1a5e9a949a5971882ecf02f4af1
Password:
TsJVvHLXmBg0sjpz7yDI98OWAVbgfcmY

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2756 powershell.exe
2752 powershell.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2756	powershell.exe
2752	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe

description	pid	process	target process
PID 1524 set thread context of 2476	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2620 schtasks.exe

pid	process
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exepowershell.exepowershell.exe

pid	process
2476	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe
2476	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe
2756	powershell.exe
2752	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2476	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe

description	pid	process	target process
PID 1524 wrote to memory of 2756	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	powershell.exe
PID 1524 wrote to memory of 2756	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	powershell.exe
PID 1524 wrote to memory of 2756	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	powershell.exe
PID 1524 wrote to memory of 2756	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	powershell.exe
PID 1524 wrote to memory of 2752	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	powershell.exe
PID 1524 wrote to memory of 2752	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	powershell.exe
PID 1524 wrote to memory of 2752	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	powershell.exe
PID 1524 wrote to memory of 2752	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	powershell.exe
PID 1524 wrote to memory of 2620	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	schtasks.exe
PID 1524 wrote to memory of 2620	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	schtasks.exe
PID 1524 wrote to memory of 2620	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	schtasks.exe
PID 1524 wrote to memory of 2620	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	schtasks.exe
PID 1524 wrote to memory of 2476	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe
PID 1524 wrote to memory of 2476	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe
PID 1524 wrote to memory of 2476	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe
PID 1524 wrote to memory of 2476	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe
PID 1524 wrote to memory of 2476	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe
PID 1524 wrote to memory of 2476	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe
PID 1524 wrote to memory of 2476	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe
PID 1524 wrote to memory of 2476	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe
PID 1524 wrote to memory of 2476	1524	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe	237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe

C:\Users\Admin\AppData\Local\Temp\237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe
"C:\Users\Admin\AppData\Local\Temp\237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZgiJPyFi.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgiJPyFi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC7D1.tmp"
2⤵
- Creates scheduled task(s)
PID:2620

C:\Users\Admin\AppData\Local\Temp\237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe
"C:\Users\Admin\AppData\Local\Temp\237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

2

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC7D1.tmp
Filesize
1KB

MD5
bd6f7e906ca81113388f3d838e9d6ae4

SHA1
ba5d61cac12fd804f314b8108de8b34336281ade

SHA256
042fb4ca5899aa78c417723f24a51f42a2e8a7c3b66bb28820c811ced58c0147

SHA512
fc8b374580e139b6fd4fc3b5fa551d0c3eb701dc4a0b5681d3d257c515dcc6dffa7fe6177f3dab4f1030ab860667d8e09b7219b84557721fe14cabc392a0bd5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CKSHTXGM3OGB6R3I8JWY.temp
Filesize
7KB

MD5
952d074d7327f1e7584dc6baf524686d

SHA1
cabaad98f327aefa29e7dbd9af9abec0f0fadf7f

SHA256
db42e0a59ac3b0cd164441ac94a6bd93e8f5ad2fefe282c82b5427c92bb43c48

SHA512
4909c5cd19baeca497594e78baa10816b503bac5a57207c1c9dae8780c7a6668154c02c7fed5d4fc50dddf1620e2eda0d413e6bef5af6010276afd476fcd2366

Download Submit
memory/1524-4-0x0000000000490000-0x00000000004AA000-memory.dmp

Filesize
104KB

Download
memory/1524-3-0x0000000000B70000-0x0000000000C10000-memory.dmp

Filesize
640KB

Download
memory/1524-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

Filesize
4KB

Download
memory/1524-5-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1524-6-0x00000000050F0000-0x0000000005172000-memory.dmp

Filesize
520KB

Download
memory/1524-7-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

Filesize
4KB

Download
memory/1524-2-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/1524-1-0x0000000001230000-0x00000000012DC000-memory.dmp

Filesize
688KB

Download
memory/1524-33-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2476-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2476-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads