agenttesla | 4a88d515600a389b686c2674cb10d053720eab06b16bd6c8ad99e06157980283

General

Target

PO Invoice XJ210821Q.PDF.scr.exe
Size

674KB
MD5

b93e5d5b8d6e25ea9107769128334130
SHA1

eaa57f101eec3faaa8ca9a767a07e4cdef35999e
SHA256

4a88d515600a389b686c2674cb10d053720eab06b16bd6c8ad99e06157980283
SHA512

52dfb3178800cf6905ba2e5d4c351a176b3feb531329d5bd7ba3135843dbeacad3814a82eaf3ecdf0e5e47261d7cd3d4043b616a10a2b79c194566fbb33a0657
SSDEEP

12288:AO98bQbs8+iS6RGUfSjWFa9Rh1iEIhjz3DO8ITXykKsSWScPx3ZokkR:ArIJ+7dUfSjWA9Rh14Jy8qZuWbx3Zg

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.libreriagandhi.cl
Port:
21
Username:
[email protected]
Password:
x6p2^m#1#~+O

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe
2788	powershell.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3048 set thread context of 972	3048	PO Invoice XJ210821Q.PDF.scr.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO Invoice XJ210821Q.PDF.scr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO Invoice XJ210821Q.PDF.scr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
3048	PO Invoice XJ210821Q.PDF.scr.exe
972	PO Invoice XJ210821Q.PDF.scr.exe
972	PO Invoice XJ210821Q.PDF.scr.exe
2684	powershell.exe
2788	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	PO Invoice XJ210821Q.PDF.scr.exe
Token: SeDebugPrivilege	972	PO Invoice XJ210821Q.PDF.scr.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2684	3048	PO Invoice XJ210821Q.PDF.scr.exe	29
PID 3048 wrote to memory of 2684	3048	PO Invoice XJ210821Q.PDF.scr.exe	29
PID 3048 wrote to memory of 2684	3048	PO Invoice XJ210821Q.PDF.scr.exe	29
PID 3048 wrote to memory of 2684	3048	PO Invoice XJ210821Q.PDF.scr.exe	29
PID 3048 wrote to memory of 2788	3048	PO Invoice XJ210821Q.PDF.scr.exe	31
PID 3048 wrote to memory of 2788	3048	PO Invoice XJ210821Q.PDF.scr.exe	31
PID 3048 wrote to memory of 2788	3048	PO Invoice XJ210821Q.PDF.scr.exe	31
PID 3048 wrote to memory of 2788	3048	PO Invoice XJ210821Q.PDF.scr.exe	31
PID 3048 wrote to memory of 2696	3048	PO Invoice XJ210821Q.PDF.scr.exe	33
PID 3048 wrote to memory of 2696	3048	PO Invoice XJ210821Q.PDF.scr.exe	33
PID 3048 wrote to memory of 2696	3048	PO Invoice XJ210821Q.PDF.scr.exe	33
PID 3048 wrote to memory of 2696	3048	PO Invoice XJ210821Q.PDF.scr.exe	33
PID 3048 wrote to memory of 1740	3048	PO Invoice XJ210821Q.PDF.scr.exe	35
PID 3048 wrote to memory of 1740	3048	PO Invoice XJ210821Q.PDF.scr.exe	35
PID 3048 wrote to memory of 1740	3048	PO Invoice XJ210821Q.PDF.scr.exe	35
PID 3048 wrote to memory of 1740	3048	PO Invoice XJ210821Q.PDF.scr.exe	35
PID 3048 wrote to memory of 972	3048	PO Invoice XJ210821Q.PDF.scr.exe	36
PID 3048 wrote to memory of 972	3048	PO Invoice XJ210821Q.PDF.scr.exe	36
PID 3048 wrote to memory of 972	3048	PO Invoice XJ210821Q.PDF.scr.exe	36
PID 3048 wrote to memory of 972	3048	PO Invoice XJ210821Q.PDF.scr.exe	36
PID 3048 wrote to memory of 972	3048	PO Invoice XJ210821Q.PDF.scr.exe	36
PID 3048 wrote to memory of 972	3048	PO Invoice XJ210821Q.PDF.scr.exe	36
PID 3048 wrote to memory of 972	3048	PO Invoice XJ210821Q.PDF.scr.exe	36
PID 3048 wrote to memory of 972	3048	PO Invoice XJ210821Q.PDF.scr.exe	36
PID 3048 wrote to memory of 972	3048	PO Invoice XJ210821Q.PDF.scr.exe	36

C:\Users\Admin\AppData\Local\Temp\PO Invoice XJ210821Q.PDF.scr.exe
"C:\Users\Admin\AppData\Local\Temp\PO Invoice XJ210821Q.PDF.scr.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO Invoice XJ210821Q.PDF.scr.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zDowlSskSU.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDowlSskSU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA554.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\PO Invoice XJ210821Q.PDF.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\PO Invoice XJ210821Q.PDF.scr.exe"
  2⤵
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\PO Invoice XJ210821Q.PDF.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\PO Invoice XJ210821Q.PDF.scr.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA554.tmp

Filesize
1KB

MD5
87945b6f768e1dd5a049a2769c8c765d

SHA1
d3a9718a9c1ff58137fb9d6f3c3141083e63c88c

SHA256
6e3d1a02b41ff065a8a1a23c43537a0ca467d51589d5565a198e8ffc2bd1c1ab

SHA512
89f967351dcb52b557b1624b4b3882d7e6aa3d9c890fbe159b8926f8efedb1438df4ec6039b412899fd723cd47260046df162205c9535da45ba11d1a451feaa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V4Y5QUE0TB7BSJG5QGFV.temp

Filesize
7KB

MD5
9905922065b7d60ee81f4804191e004a

SHA1
f89e8a4ede16ec48d848d82868658316025614b4

SHA256
d86759ea98a1809530d24c91399ff1401f62b73588bb7f0a25291a7ac8c10c72

SHA512
7edc971a6830ac01bcb064d911c6db5f1be3a91815bb0c75a08904f8ecabbad5662d1b7940e3185992c87cd300f5a24b6ac467092df6045c7d494467edf7a72a

Download Submit
memory/972-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/972-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/972-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/972-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/972-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/972-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/972-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/972-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-1-0x00000000000F0000-0x000000000019C000-memory.dmp

Filesize
688KB

Download
memory/3048-2-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/3048-0-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/3048-7-0x0000000004F80000-0x0000000005004000-memory.dmp

Filesize
528KB

Download
memory/3048-6-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/3048-3-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/3048-5-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/3048-4-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/3048-32-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads