agenttesla | 5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e

General

Target

5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe
Size

510KB
MD5

9cc6808488ac25c8c7252b1a16d81866
SHA1

f8a86372b9a903adc0e67c93aa4cb18ef2bf2160
SHA256

5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e
SHA512

eb68e18321b7b5a91d213de114763e12a5bfd262711cc5e44882b856836c122f4f298c9468f6533b2a22ed94ffa35b0f6efa6c78cb942a9916d9e09150584a57
SSDEEP

12288:24LDqJFTP6uX8XCwHYWlWgt+lwLXLHCm8FuZ6EfH6r:24LDqeuXcCwXlWgMlaXJ8FNMar

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
SMTP.yandex.com
Port:
587
Username:
[email protected]
Password:
Nwamama121

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

AgentTesla payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2888-20-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2888-18-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2888-16-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2888-13-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2888-12-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe

description	pid	Process	procid_target
PID 1800 set thread context of 2888	1800	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exeschtasks.exe5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exedw20.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe

pid	Process
2888	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe
2888	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe

description	pid	Process
Token: SeDebugPrivilege	2888	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe

description	pid	Process	procid_target
PID 1800 wrote to memory of 2720	1800	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	31
PID 1800 wrote to memory of 2720	1800	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	31
PID 1800 wrote to memory of 2720	1800	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	31
PID 1800 wrote to memory of 2720	1800	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	31
PID 1800 wrote to memory of 2888	1800	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	33
PID 1800 wrote to memory of 2888	1800	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	33
PID 1800 wrote to memory of 2888	1800	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	33
PID 1800 wrote to memory of 2888	1800	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	33
PID 1800 wrote to memory of 2888	1800	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	33
PID 1800 wrote to memory of 2888	1800	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	33
PID 1800 wrote to memory of 2888	1800	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	33
PID 1800 wrote to memory of 2888	1800	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	33
PID 1800 wrote to memory of 2888	1800	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	33
PID 2888 wrote to memory of 2748	2888	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	34
PID 2888 wrote to memory of 2748	2888	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	34
PID 2888 wrote to memory of 2748	2888	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	34
PID 2888 wrote to memory of 2748	2888	5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe	34

C:\Users\Admin\AppData\Local\Temp\5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe
"C:\Users\Admin\AppData\Local\Temp\5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BTZLUHjBkaJYmD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp15B2.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\5d5fa23a94b50ea0d7dd84266fc47ff1d51f0af4119a973d29034593ee3cb41e.exe
  "{path}"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 520
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp15B2.tmp

Filesize
1KB

MD5
5e6c4ba2ef74da88a209f4378af4a6aa

SHA1
920c975b3598932733c218345626cc3114451e5a

SHA256
2b7cc370dbfd04658aff66c42b44e44b2597d93a84200cd55c6bfad094d5a809

SHA512
0337c65d5c4a4a2d0b8b456d9307311aa298f260a20ca4c7285fa8f48078981d19a70493552dd9d271f1a7f10757710a9c7cefdca8dd472556dc18c6d6f92ba4

Download Submit
memory/1800-0-0x00000000741A1000-0x00000000741A2000-memory.dmp

Filesize
4KB

Download
memory/1800-1-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-2-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-3-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-4-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-22-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2888-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2888-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2888-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2888-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2888-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2888-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2888-21-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2888-23-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-24-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads