agenttesla | 45c59a343b482c4c521c920f16dd1f62d0387c6c1dac58a926d75ff399c5d61e

General

Target

40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
Size

710KB
MD5

6a5edfedcacd647606f65f573ba88fd5
SHA1

e03491d78351a41011798d2f713a5296dfcc0553
SHA256

40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9
SHA512

4be2c86ee9e51f51f85b9fc5c9e85ca295dd3a8131d80322199da7369f0c374b5a2ce45338cce93f89b46c89f819312a1e1f6127170a137715fef7dbcc56d5b9
SSDEEP

12288:wbItdJS4VbKTi4dwB/m9nIayC/3cvVKr8Zpf/WJPmGE0CLXD4GME8XB:vRScz4dEuFIal36IrypfOJm/XEGY

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.mayedasselectromech.com
Port:
587
Username:
[email protected]
Password:
India@2014
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2392	powershell.exe
2704	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 1656	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
2392	powershell.exe
2704	powershell.exe
2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
1656	MSBuild.exe
1656	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1656	MSBuild.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2392	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	28
PID 2156 wrote to memory of 2392	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	28
PID 2156 wrote to memory of 2392	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	28
PID 2156 wrote to memory of 2392	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	28
PID 2156 wrote to memory of 2704	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	30
PID 2156 wrote to memory of 2704	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	30
PID 2156 wrote to memory of 2704	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	30
PID 2156 wrote to memory of 2704	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	30
PID 2156 wrote to memory of 2524	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	32
PID 2156 wrote to memory of 2524	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	32
PID 2156 wrote to memory of 2524	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	32
PID 2156 wrote to memory of 2524	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	32
PID 2156 wrote to memory of 1656	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	34
PID 2156 wrote to memory of 1656	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	34
PID 2156 wrote to memory of 1656	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	34
PID 2156 wrote to memory of 1656	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	34
PID 2156 wrote to memory of 1656	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	34
PID 2156 wrote to memory of 1656	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	34
PID 2156 wrote to memory of 1656	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	34
PID 2156 wrote to memory of 1656	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	34
PID 2156 wrote to memory of 1656	2156	40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe	34

C:\Users\Admin\AppData\Local\Temp\40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe
"C:\Users\Admin\AppData\Local\Temp\40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\40367d6e32f9a6d3f45372fd60a4da63f494dc1ae0fd1781cfd9c3a74b4a06f9.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GwOXzCYxNfOTF.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GwOXzCYxNfOTF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB1E1.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB1E1.tmp

Filesize
1KB

MD5
730cb6ee0f07e5f81226aae0de5f1295

SHA1
961d9ee99d1a924d9e91dd1b051b89e5326580b0

SHA256
b8c34bb1e77ce2ce87fadbc0f75142fb3692fc3c21d812aa56e483a708b57575

SHA512
f633046bf9d8b5af394d3116da484bdf07808d48fd8a89b7bd835f9f074f1ac962c642598ce0dbaaea32728fbc058beac1151588a123082798362a601725d196

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b1d25492069d2c1503cdaa0acc841176

SHA1
427cab34f11e94675186462979f6e07c9d9ac363

SHA256
0cb6051723ee266a2c1574b0571d8e24d1bf50547601d33c431e88d03222c936

SHA512
79a8bb32495fd3711b1264c11821220886f89d0abe2c4ed6b445af198d65dfaf7d3b12a1baa08306f2bdba3eab0a664a1f2fa1976e4f2e7ae9cd2a5b44dfd14d

Download Submit
memory/1656-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1656-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-1-0x00000000001C0000-0x0000000000278000-memory.dmp

Filesize
736KB

Download
memory/2156-2-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/2156-7-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-6-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/2156-3-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/2156-5-0x0000000006210000-0x0000000006292000-memory.dmp

Filesize
520KB

Download
memory/2156-4-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2156-33-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads