agenttesla | 2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22

General

Target

2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe
Size

849KB
MD5

33bd447f35469eefb7fa6b11944e6ea0
SHA1

061cf3ef699b00a04f08121e6b8607a408cf2f1c
SHA256

2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22
SHA512

e1c09c044a81a569e7ff7c65d011c5adbc70a364a35cf413db78d44e7ff8844eedc76e55549b3f5d3ed87cc9fd18a106eaab9920961d08ef9a8e4d47b84ffd02
SSDEEP

24576:53KWtb3BEL7jQxlNH3S63ooiTBD441D0xyed42V1su:/ZBELPCGmiTT1D0xPrV1D

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yubacuba.online
Port:
587
Username:
[email protected]
Password:
vynKZC)6
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2656 powershell.exe

pid	process
2656	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe

description	pid	process	target process
PID 2176 set thread context of 2748	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3032 schtasks.exe

pid	process
3032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exeRegSvcs.exepowershell.exe

pid	process
2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe
2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe
2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe
2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe
2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe
2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe
2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe
2748	RegSvcs.exe
2748	RegSvcs.exe
2656	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exeRegSvcs.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe
Token: SeDebugPrivilege	2748	RegSvcs.exe
Token: SeDebugPrivilege	2656	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe

description	pid	process	target process
PID 2176 wrote to memory of 2656	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	powershell.exe
PID 2176 wrote to memory of 2656	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	powershell.exe
PID 2176 wrote to memory of 2656	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	powershell.exe
PID 2176 wrote to memory of 2656	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	powershell.exe
PID 2176 wrote to memory of 3032	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	schtasks.exe
PID 2176 wrote to memory of 3032	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	schtasks.exe
PID 2176 wrote to memory of 3032	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	schtasks.exe
PID 2176 wrote to memory of 3032	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	schtasks.exe
PID 2176 wrote to memory of 2748	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	RegSvcs.exe
PID 2176 wrote to memory of 2748	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	RegSvcs.exe
PID 2176 wrote to memory of 2748	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	RegSvcs.exe
PID 2176 wrote to memory of 2748	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	RegSvcs.exe
PID 2176 wrote to memory of 2748	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	RegSvcs.exe
PID 2176 wrote to memory of 2748	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	RegSvcs.exe
PID 2176 wrote to memory of 2748	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	RegSvcs.exe
PID 2176 wrote to memory of 2748	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	RegSvcs.exe
PID 2176 wrote to memory of 2748	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	RegSvcs.exe
PID 2176 wrote to memory of 2748	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	RegSvcs.exe
PID 2176 wrote to memory of 2748	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	RegSvcs.exe
PID 2176 wrote to memory of 2748	2176	2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe
"C:\Users\Admin\AppData\Local\Temp\2918185b0d3246ca8f4cc0b1378077e79e811f6a18b82537cc77e87c9f137a22.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sTlOEa.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sTlOEa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F7C.tmp"
2⤵
- Creates scheduled task(s)
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7F7C.tmp
Filesize
1KB

MD5
2770d7c3a8a07b745e2a673832561e03

SHA1
557aa26814a7fc70d2f5045a43f10e1026461770

SHA256
ee1468ecca7e0f77dc80796d190d92c8bec5753e8037a1d6276c3dfbf039fd8b

SHA512
948e3d3d672859b395e013932f482dad13039f3ae615891ca5b0bdb73d914158f39901fd2835480960e6724e089a71b710d5e940639aa81ea155ddd2d6826ce8

Download Submit
memory/2176-14-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/2176-5-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2176-27-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-4-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2176-0-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/2176-6-0x0000000004B10000-0x0000000004B92000-memory.dmp

Filesize
520KB

Download
memory/2176-1-0x00000000010E0000-0x00000000011B8000-memory.dmp

Filesize
864KB

Download
memory/2176-2-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-3-0x00000000004B0000-0x00000000004D2000-memory.dmp

Filesize
136KB

Download
memory/2748-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads