agenttesla | f5e66c9cb6ae8c33730d91ce46ec5098169c1281ceffea10f2a8e67f0e43ee31

General

Target

USD BANK DETAILS.PNG.exe
Size

670KB
MD5

41373fb609440bc4177a1db81e594b69
SHA1

d67b37e144112e75cea9aa32f3c29775c8cfe045
SHA256

39fe44328453edb4688201f0d3c6c0d07baa65d92ee1c5e0ad496bc71d1b0c9b
SHA512

bc7305c0375cb972ad151c4320704fef47c6f266d692ba44ce278e12e07b06030a0aa42593d5e68f2ce9ecb112543417eab883c9e0787b7cb17a415b4899313b
SSDEEP

12288:CCguti8LkpEatDtW4uBiCv4CFXuOkq9b6O9P7Q0NRUONkR:Fj4jEiWliCwwu8oYP7Q0NRUn

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.shaktiinstrumentations.in
Port:
587
Username:
[email protected]
Password:
Shakti54231!@#$%#@!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2680 powershell.exe
2900 powershell.exe

pid	process
2680	powershell.exe
2900	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

USD BANK DETAILS.PNG.exe

description pid process target process

PID 1796 set thread context of 3012 1796 USD BANK DETAILS.PNG.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1736 schtasks.exe

description	pid	process	target process
PID 1796 set thread context of 3012	1796	USD BANK DETAILS.PNG.exe	RegSvcs.exe

pid	process
1736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

USD BANK DETAILS.PNG.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
1796	USD BANK DETAILS.PNG.exe
1796	USD BANK DETAILS.PNG.exe
1796	USD BANK DETAILS.PNG.exe
1796	USD BANK DETAILS.PNG.exe
1796	USD BANK DETAILS.PNG.exe
1796	USD BANK DETAILS.PNG.exe
1796	USD BANK DETAILS.PNG.exe
2680	powershell.exe
2900	powershell.exe
3012	RegSvcs.exe
3012	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

USD BANK DETAILS.PNG.exeRegSvcs.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1796	USD BANK DETAILS.PNG.exe
Token: SeDebugPrivilege	3012	RegSvcs.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

USD BANK DETAILS.PNG.exe

description	pid	process	target process
PID 1796 wrote to memory of 2680	1796	USD BANK DETAILS.PNG.exe	powershell.exe
PID 1796 wrote to memory of 2680	1796	USD BANK DETAILS.PNG.exe	powershell.exe
PID 1796 wrote to memory of 2680	1796	USD BANK DETAILS.PNG.exe	powershell.exe
PID 1796 wrote to memory of 2680	1796	USD BANK DETAILS.PNG.exe	powershell.exe
PID 1796 wrote to memory of 2900	1796	USD BANK DETAILS.PNG.exe	powershell.exe
PID 1796 wrote to memory of 2900	1796	USD BANK DETAILS.PNG.exe	powershell.exe
PID 1796 wrote to memory of 2900	1796	USD BANK DETAILS.PNG.exe	powershell.exe
PID 1796 wrote to memory of 2900	1796	USD BANK DETAILS.PNG.exe	powershell.exe
PID 1796 wrote to memory of 1736	1796	USD BANK DETAILS.PNG.exe	schtasks.exe
PID 1796 wrote to memory of 1736	1796	USD BANK DETAILS.PNG.exe	schtasks.exe
PID 1796 wrote to memory of 1736	1796	USD BANK DETAILS.PNG.exe	schtasks.exe
PID 1796 wrote to memory of 1736	1796	USD BANK DETAILS.PNG.exe	schtasks.exe
PID 1796 wrote to memory of 3012	1796	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 1796 wrote to memory of 3012	1796	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 1796 wrote to memory of 3012	1796	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 1796 wrote to memory of 3012	1796	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 1796 wrote to memory of 3012	1796	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 1796 wrote to memory of 3012	1796	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 1796 wrote to memory of 3012	1796	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 1796 wrote to memory of 3012	1796	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 1796 wrote to memory of 3012	1796	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 1796 wrote to memory of 3012	1796	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 1796 wrote to memory of 3012	1796	USD BANK DETAILS.PNG.exe	RegSvcs.exe
PID 1796 wrote to memory of 3012	1796	USD BANK DETAILS.PNG.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\USD BANK DETAILS.PNG.exe
"C:\Users\Admin\AppData\Local\Temp\USD BANK DETAILS.PNG.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\USD BANK DETAILS.PNG.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\waNwgSaPPjkOka.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\waNwgSaPPjkOka" /XML "C:\Users\Admin\AppData\Local\Temp\tmp675B.tmp"
2⤵
- Creates scheduled task(s)
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp675B.tmp

Filesize
1KB

MD5
ed9f5a6aebcf1c94a6a6abacf27ab5be

SHA1
8af93cb1201053182426d2cb03015840ef4cb1bd

SHA256
6d2ebd1b432cd4163ef564acc80770becb245a324db6730d2140e96df575d19b

SHA512
3d717fa582dbb6abdb1170538afed9c1d15bb388016ed7b6bfc11f64787204913312835aa5018a55dad90f042043862fbd0c79db5a4de6793c11f6560fb54454

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2XKTZ9ZDX1QBS9UH7EAQ.temp

Filesize
7KB

MD5
389313d43e98027ad0bd2712581ce688

SHA1
7936ff76ef9aa8f38dc432880c02f06915f13f03

SHA256
f1f5562055be484018e135ad24ace0e1671dd648432fb221d73409931803f75d

SHA512
f5637cc1ea03ddd6ea75fd88a36ce56d50f45696111dbf02ab2c3e19d35d9ecd80ea0d904c0a64cfd98e68b21d8543284739f396b9f820833b25c72502a0d799

Download Submit
memory/1796-31-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1796-1-0x0000000000FA0000-0x000000000104A000-memory.dmp

Filesize
680KB

Download
memory/1796-2-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1796-3-0x0000000000620000-0x000000000063A000-memory.dmp

Filesize
104KB

Download
memory/1796-4-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/1796-5-0x00000000052B0000-0x0000000005334000-memory.dmp

Filesize
528KB

Download
memory/1796-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/3012-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3012-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3012-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3012-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3012-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3012-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3012-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3012-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads