agenttesla | c94596dbfbc9fde422a8f6b20fc6e488d9fcd33931e0e2e07430824eeff8a04a

Analysis

max time kernel
144s
max time network
135s
platform
windows7_x64
resource
win7v200430
submitted
16-07-2020 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INV2020.06.09974.DOCX.exe
Size

331KB
MD5

8dc8dd6ff7a50bf1bdcdaeea069a4ae6
SHA1

133cb0200309be4089f1c60ecb9c0db1fb66f551
SHA256

c94596dbfbc9fde422a8f6b20fc6e488d9fcd33931e0e2e07430824eeff8a04a
SHA512

d2bd87fbc8fb5b2f60cafe9b65561647f637853550dd57430e062aae4856ca9984e4246a327d3611d674bdf1fdaebdaf0b3f8f94604d987990a78f708bce11fc

Score

10^/10

agenttesla asyncrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

null:null

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
DHyXENUbuF7kz7qg9whtglVdx8ChMDvS
anti_detection
false
autorun
false
bdos
false
delay
Default
host
null
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
https://pastebin.com/raw/63NgqBcT
port
null
version
0.5.7B

aes.plain

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

AgentTesla Payload 4 IoCs

resource	yara_rule
behavioral1/memory/756-21-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/756-22-0x0000000000446D4E-mapping.dmp	family_agenttesla
behavioral1/memory/756-23-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/756-24-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1844-4-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1844-5-0x000000000040D0BE-mapping.dmp	asyncrat
behavioral1/memory/1844-6-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1844-7-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
896	ldyqmf.exe

Loads dropped DLL 1 IoCs

pid	Process
1984	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1092 set thread context of 1844	1092	INV2020.06.09974.DOCX.exe	28
PID 896 set thread context of 756	896	ldyqmf.exe	36

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1824	schtasks.exe
300	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1984	powershell.exe
1844	RegSvcs.exe
1984	powershell.exe
896	ldyqmf.exe
756	RegSvcs.exe
756	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	INV2020.06.09974.DOCX.exe
Token: SeDebugPrivilege	1844	RegSvcs.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	896	ldyqmf.exe
Token: SeDebugPrivilege	756	RegSvcs.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1824	1092	INV2020.06.09974.DOCX.exe	26
PID 1092 wrote to memory of 1824	1092	INV2020.06.09974.DOCX.exe	26
PID 1092 wrote to memory of 1824	1092	INV2020.06.09974.DOCX.exe	26
PID 1092 wrote to memory of 1824	1092	INV2020.06.09974.DOCX.exe	26
PID 1092 wrote to memory of 1844	1092	INV2020.06.09974.DOCX.exe	28
PID 1092 wrote to memory of 1844	1092	INV2020.06.09974.DOCX.exe	28
PID 1092 wrote to memory of 1844	1092	INV2020.06.09974.DOCX.exe	28
PID 1092 wrote to memory of 1844	1092	INV2020.06.09974.DOCX.exe	28
PID 1092 wrote to memory of 1844	1092	INV2020.06.09974.DOCX.exe	28
PID 1092 wrote to memory of 1844	1092	INV2020.06.09974.DOCX.exe	28
PID 1092 wrote to memory of 1844	1092	INV2020.06.09974.DOCX.exe	28
PID 1092 wrote to memory of 1844	1092	INV2020.06.09974.DOCX.exe	28
PID 1092 wrote to memory of 1844	1092	INV2020.06.09974.DOCX.exe	28
PID 1092 wrote to memory of 1844	1092	INV2020.06.09974.DOCX.exe	28
PID 1092 wrote to memory of 1844	1092	INV2020.06.09974.DOCX.exe	28
PID 1092 wrote to memory of 1844	1092	INV2020.06.09974.DOCX.exe	28
PID 1844 wrote to memory of 1920	1844	RegSvcs.exe	30
PID 1844 wrote to memory of 1920	1844	RegSvcs.exe	30
PID 1844 wrote to memory of 1920	1844	RegSvcs.exe	30
PID 1844 wrote to memory of 1920	1844	RegSvcs.exe	30
PID 1920 wrote to memory of 1984	1920	cmd.exe	32
PID 1920 wrote to memory of 1984	1920	cmd.exe	32
PID 1920 wrote to memory of 1984	1920	cmd.exe	32
PID 1920 wrote to memory of 1984	1920	cmd.exe	32
PID 1984 wrote to memory of 896	1984	powershell.exe	33
PID 1984 wrote to memory of 896	1984	powershell.exe	33
PID 1984 wrote to memory of 896	1984	powershell.exe	33
PID 1984 wrote to memory of 896	1984	powershell.exe	33
PID 896 wrote to memory of 300	896	ldyqmf.exe	34
PID 896 wrote to memory of 300	896	ldyqmf.exe	34
PID 896 wrote to memory of 300	896	ldyqmf.exe	34
PID 896 wrote to memory of 300	896	ldyqmf.exe	34
PID 896 wrote to memory of 756	896	ldyqmf.exe	36
PID 896 wrote to memory of 756	896	ldyqmf.exe	36
PID 896 wrote to memory of 756	896	ldyqmf.exe	36
PID 896 wrote to memory of 756	896	ldyqmf.exe	36
PID 896 wrote to memory of 756	896	ldyqmf.exe	36
PID 896 wrote to memory of 756	896	ldyqmf.exe	36
PID 896 wrote to memory of 756	896	ldyqmf.exe	36
PID 896 wrote to memory of 756	896	ldyqmf.exe	36
PID 896 wrote to memory of 756	896	ldyqmf.exe	36
PID 896 wrote to memory of 756	896	ldyqmf.exe	36
PID 896 wrote to memory of 756	896	ldyqmf.exe	36
PID 896 wrote to memory of 756	896	ldyqmf.exe	36

C:\Users\Admin\AppData\Local\Temp\INV2020.06.09974.DOCX.exe
"C:\Users\Admin\AppData\Local\Temp\INV2020.06.09974.DOCX.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EAqaZVmVe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp46FE.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ldyqmf.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ldyqmf.exe"'
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Users\Admin\AppData\Local\Temp\ldyqmf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ldyqmf.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vWLXuUnuRpvYdI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7177.tmp"
        6⤵
        Creates scheduled task(s)
        
        PID:300
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "{path}"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/756-23-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/756-21-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1844-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1844-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1844-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download