agenttesla | d96ee923cda8458627c393925aebc1f908ab6a40ebe8c9ea0f049e3edf27bce2

Analysis

max time kernel
139s
max time network
118s
platform
windows7_x64
resource
win7
submitted
31-07-2020 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tgwqjo.exe
Size

831KB
MD5

c9bdb2a0214fd34e21c9671da4bbbca4
SHA1

bd33a69c8926f4fd9747e9db063fcbae1e964bd5
SHA256

d96ee923cda8458627c393925aebc1f908ab6a40ebe8c9ea0f049e3edf27bce2
SHA512

5dd32f148634462317316e6ddcfdbe92d59a730dbd1949b68304bf2810d1a2075c273aaf29c7f6b2552273f03326274d56989d02c2e42f899ee5f79b702d4413

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
microsotft-office365-rules-co@yandex.ru
Password:
moneymoney77

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1908-14-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1908-15-0x000000000044706E-mapping.dmp	family_agenttesla
behavioral1/memory/1908-17-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1908-18-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1792-25-0x0000000000000000-mapping.dmp	family_agenttesla
behavioral1/memory/1792-26-0x0000000000000000-mapping.dmp	family_agenttesla
behavioral1/memory/1792-27-0x0000000000000000-mapping.dmp	family_agenttesla
behavioral1/memory/1792-28-0x0000000000000000-mapping.dmp	family_agenttesla
behavioral1/memory/1792-29-0x0000000000000000-mapping.dmp	family_agenttesla
behavioral1/memory/1792-30-0x0000000000000000-mapping.dmp	family_agenttesla
behavioral1/memory/1792-32-0x0000000000000000-mapping.dmp	family_agenttesla
behavioral1/memory/1792-31-0x0000000000000000-mapping.dmp	family_agenttesla
behavioral1/memory/1792-33-0x0000000000000000-mapping.dmp	family_agenttesla
behavioral1/memory/1792-34-0x0000000000000000-mapping.dmp	family_agenttesla
behavioral1/memory/1792-35-0x0000000000000000-mapping.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

shd.exeInstallUtil.exe

pid process

1792 shd.exe
1908 InstallUtil.exe
Loads dropped DLL 7 IoCs

Processes:

tgwqjo.exeshd.exeWerFault.exe

pid process

1124 tgwqjo.exe
1792 shd.exe
1936 WerFault.exe
1936 WerFault.exe
1936 WerFault.exe
1936 WerFault.exe
1936 WerFault.exe

pid	process
1792	shd.exe
1908	InstallUtil.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\nfgm = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\shd.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

shd.exe

description pid process target process

PID 1792 set thread context of 1908 1792 shd.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1936 1792 WerFault.exe shd.exe

description	pid	process	target process
PID 1792 set thread context of 1908	1792	shd.exe	InstallUtil.exe

pid	pid_target	process	target process
1936	1792	WerFault.exe	shd.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

tgwqjo.exeshd.exeWerFault.exeInstallUtil.exe

pid	process
1124	tgwqjo.exe
1124	tgwqjo.exe
1124	tgwqjo.exe
1124	tgwqjo.exe
1792	shd.exe
1792	shd.exe
1792	shd.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1908	InstallUtil.exe
1908	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tgwqjo.exeshd.exeWerFault.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1124	tgwqjo.exe
Token: SeDebugPrivilege	1792	shd.exe
Token: SeDebugPrivilege	1936	WerFault.exe
Token: SeDebugPrivilege	1908	InstallUtil.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

tgwqjo.execmd.exeshd.exe

description	pid	process	target process
PID 1124 wrote to memory of 1516	1124	tgwqjo.exe	cmd.exe
PID 1124 wrote to memory of 1516	1124	tgwqjo.exe	cmd.exe
PID 1124 wrote to memory of 1516	1124	tgwqjo.exe	cmd.exe
PID 1124 wrote to memory of 1516	1124	tgwqjo.exe	cmd.exe
PID 1516 wrote to memory of 1620	1516	cmd.exe	reg.exe
PID 1516 wrote to memory of 1620	1516	cmd.exe	reg.exe
PID 1516 wrote to memory of 1620	1516	cmd.exe	reg.exe
PID 1516 wrote to memory of 1620	1516	cmd.exe	reg.exe
PID 1124 wrote to memory of 1792	1124	tgwqjo.exe	shd.exe
PID 1124 wrote to memory of 1792	1124	tgwqjo.exe	shd.exe
PID 1124 wrote to memory of 1792	1124	tgwqjo.exe	shd.exe
PID 1124 wrote to memory of 1792	1124	tgwqjo.exe	shd.exe
PID 1792 wrote to memory of 1908	1792	shd.exe	InstallUtil.exe
PID 1792 wrote to memory of 1908	1792	shd.exe	InstallUtil.exe
PID 1792 wrote to memory of 1908	1792	shd.exe	InstallUtil.exe
PID 1792 wrote to memory of 1908	1792	shd.exe	InstallUtil.exe
PID 1792 wrote to memory of 1908	1792	shd.exe	InstallUtil.exe
PID 1792 wrote to memory of 1908	1792	shd.exe	InstallUtil.exe
PID 1792 wrote to memory of 1908	1792	shd.exe	InstallUtil.exe
PID 1792 wrote to memory of 1908	1792	shd.exe	InstallUtil.exe
PID 1792 wrote to memory of 1908	1792	shd.exe	InstallUtil.exe
PID 1792 wrote to memory of 1908	1792	shd.exe	InstallUtil.exe
PID 1792 wrote to memory of 1908	1792	shd.exe	InstallUtil.exe
PID 1792 wrote to memory of 1908	1792	shd.exe	InstallUtil.exe
PID 1792 wrote to memory of 1936	1792	shd.exe	WerFault.exe
PID 1792 wrote to memory of 1936	1792	shd.exe	WerFault.exe
PID 1792 wrote to memory of 1936	1792	shd.exe	WerFault.exe
PID 1792 wrote to memory of 1936	1792	shd.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\tgwqjo.exe
"C:\Users\Admin\AppData\Local\Temp\tgwqjo.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v nfgm /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\shd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v nfgm /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\shd.exe"
3⤵
- Adds Run key to start application
PID:1620

C:\Users\Admin\shd.exe
"C:\Users\Admin\shd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 792
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\shd.exe
MD5
c9bdb2a0214fd34e21c9671da4bbbca4

SHA1
bd33a69c8926f4fd9747e9db063fcbae1e964bd5

SHA256
d96ee923cda8458627c393925aebc1f908ab6a40ebe8c9ea0f049e3edf27bce2

SHA512
5dd32f148634462317316e6ddcfdbe92d59a730dbd1949b68304bf2810d1a2075c273aaf29c7f6b2552273f03326274d56989d02c2e42f899ee5f79b702d4413

Download Submit
C:\Users\Admin\shd.exe
MD5
c9bdb2a0214fd34e21c9671da4bbbca4

SHA1
bd33a69c8926f4fd9747e9db063fcbae1e964bd5

SHA256
d96ee923cda8458627c393925aebc1f908ab6a40ebe8c9ea0f049e3edf27bce2

SHA512
5dd32f148634462317316e6ddcfdbe92d59a730dbd1949b68304bf2810d1a2075c273aaf29c7f6b2552273f03326274d56989d02c2e42f899ee5f79b702d4413

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\shd.exe
MD5
c9bdb2a0214fd34e21c9671da4bbbca4

SHA1
bd33a69c8926f4fd9747e9db063fcbae1e964bd5

SHA256
d96ee923cda8458627c393925aebc1f908ab6a40ebe8c9ea0f049e3edf27bce2

SHA512
5dd32f148634462317316e6ddcfdbe92d59a730dbd1949b68304bf2810d1a2075c273aaf29c7f6b2552273f03326274d56989d02c2e42f899ee5f79b702d4413

Download Submit
\Users\Admin\shd.exe
MD5
c9bdb2a0214fd34e21c9671da4bbbca4

SHA1
bd33a69c8926f4fd9747e9db063fcbae1e964bd5

SHA256
d96ee923cda8458627c393925aebc1f908ab6a40ebe8c9ea0f049e3edf27bce2

SHA512
5dd32f148634462317316e6ddcfdbe92d59a730dbd1949b68304bf2810d1a2075c273aaf29c7f6b2552273f03326274d56989d02c2e42f899ee5f79b702d4413

Download Submit
\Users\Admin\shd.exe
MD5
c9bdb2a0214fd34e21c9671da4bbbca4

SHA1
bd33a69c8926f4fd9747e9db063fcbae1e964bd5

SHA256
d96ee923cda8458627c393925aebc1f908ab6a40ebe8c9ea0f049e3edf27bce2

SHA512
5dd32f148634462317316e6ddcfdbe92d59a730dbd1949b68304bf2810d1a2075c273aaf29c7f6b2552273f03326274d56989d02c2e42f899ee5f79b702d4413

Download Submit
\Users\Admin\shd.exe
MD5
c9bdb2a0214fd34e21c9671da4bbbca4

SHA1
bd33a69c8926f4fd9747e9db063fcbae1e964bd5

SHA256
d96ee923cda8458627c393925aebc1f908ab6a40ebe8c9ea0f049e3edf27bce2

SHA512
5dd32f148634462317316e6ddcfdbe92d59a730dbd1949b68304bf2810d1a2075c273aaf29c7f6b2552273f03326274d56989d02c2e42f899ee5f79b702d4413

Download Submit
\Users\Admin\shd.exe
MD5
c9bdb2a0214fd34e21c9671da4bbbca4

SHA1
bd33a69c8926f4fd9747e9db063fcbae1e964bd5

SHA256
d96ee923cda8458627c393925aebc1f908ab6a40ebe8c9ea0f049e3edf27bce2

SHA512
5dd32f148634462317316e6ddcfdbe92d59a730dbd1949b68304bf2810d1a2075c273aaf29c7f6b2552273f03326274d56989d02c2e42f899ee5f79b702d4413

Download Submit
\Users\Admin\shd.exe
MD5
c9bdb2a0214fd34e21c9671da4bbbca4

SHA1
bd33a69c8926f4fd9747e9db063fcbae1e964bd5

SHA256
d96ee923cda8458627c393925aebc1f908ab6a40ebe8c9ea0f049e3edf27bce2

SHA512
5dd32f148634462317316e6ddcfdbe92d59a730dbd1949b68304bf2810d1a2075c273aaf29c7f6b2552273f03326274d56989d02c2e42f899ee5f79b702d4413

Download Submit
memory/1124-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1516-3-0x0000000000000000-mapping.dmp

Download
memory/1620-4-0x0000000000000000-mapping.dmp

Download
memory/1792-29-0x0000000000000000-mapping.dmp

Download
memory/1792-31-0x0000000000000000-mapping.dmp

Download
memory/1792-35-0x0000000000000000-mapping.dmp

Download
memory/1792-34-0x0000000000000000-mapping.dmp

Download
memory/1792-33-0x0000000000000000-mapping.dmp

Download
memory/1792-32-0x0000000000000000-mapping.dmp

Download
memory/1792-25-0x0000000000000000-mapping.dmp

Download
memory/1792-26-0x0000000000000000-mapping.dmp

Download
memory/1792-27-0x0000000000000000-mapping.dmp

Download
memory/1792-28-0x0000000000000000-mapping.dmp

Download
memory/1792-6-0x0000000000000000-mapping.dmp

Download
memory/1792-30-0x0000000000000000-mapping.dmp

Download
memory/1908-15-0x000000000044706E-mapping.dmp

Download
memory/1908-17-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1908-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1908-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1936-20-0x0000000001F90000-0x0000000001FA1000-memory.dmp

Filesize
68KB

Download
memory/1936-19-0x0000000000000000-mapping.dmp

Download
memory/1936-36-0x0000000002760000-0x0000000002771000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads