agenttesla | 2e5adc24258e0aae79b688b0310985210ab03bffb789da8c80f5d2172e0ff323

General

Target

AWB.exe
Size

789KB
MD5

00e07fbc04097cb40012208c6d59961f
SHA1

965e3a6594cba057b116b9f53aabd8976d815058
SHA256

2e5adc24258e0aae79b688b0310985210ab03bffb789da8c80f5d2172e0ff323
SHA512

85cf5e27a27f3ba2e6dd18f86c06eb3cbc7414ce9b8998a4b1ee3b20c9141e05347dd6cf220923d606f5e3a5650f91c065f1bf40d7fbc6c145414dfda937449f

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
mullarwhite@yandex.com
Password:
challenge12345@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/836-2-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/836-3-0x000000000044CA9E-mapping.dmp	family_agenttesla
behavioral1/memory/836-4-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/836-5-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKUgjc = "C:\\Users\\Admin\\AppData\\Roaming\\LKUgjc\\LKUgjc.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

AWB.exe

description pid process target process

PID 1144 set thread context of 836 1144 AWB.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

AWB.exeRegSvcs.exe

pid process

1144 AWB.exe
1144 AWB.exe
1144 AWB.exe
1144 AWB.exe
836 RegSvcs.exe
836 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AWB.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1144 AWB.exe
Token: SeDebugPrivilege 836 RegSvcs.exe

description	pid	process	target process
PID 1144 set thread context of 836	1144	AWB.exe	RegSvcs.exe

pid	process
1144	AWB.exe
1144	AWB.exe
1144	AWB.exe
1144	AWB.exe
836	RegSvcs.exe
836	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1144	AWB.exe
Token: SeDebugPrivilege	836	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

AWB.exeRegSvcs.exe

description	pid	process	target process
PID 1144 wrote to memory of 836	1144	AWB.exe	RegSvcs.exe
PID 1144 wrote to memory of 836	1144	AWB.exe	RegSvcs.exe
PID 1144 wrote to memory of 836	1144	AWB.exe	RegSvcs.exe
PID 1144 wrote to memory of 836	1144	AWB.exe	RegSvcs.exe
PID 1144 wrote to memory of 836	1144	AWB.exe	RegSvcs.exe
PID 1144 wrote to memory of 836	1144	AWB.exe	RegSvcs.exe
PID 1144 wrote to memory of 836	1144	AWB.exe	RegSvcs.exe
PID 1144 wrote to memory of 836	1144	AWB.exe	RegSvcs.exe
PID 1144 wrote to memory of 836	1144	AWB.exe	RegSvcs.exe
PID 1144 wrote to memory of 836	1144	AWB.exe	RegSvcs.exe
PID 1144 wrote to memory of 836	1144	AWB.exe	RegSvcs.exe
PID 1144 wrote to memory of 836	1144	AWB.exe	RegSvcs.exe
PID 836 wrote to memory of 1612	836	RegSvcs.exe	netsh.exe
PID 836 wrote to memory of 1612	836	RegSvcs.exe	netsh.exe
PID 836 wrote to memory of 1612	836	RegSvcs.exe	netsh.exe
PID 836 wrote to memory of 1612	836	RegSvcs.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\AWB.exe
"C:\Users\Admin\AppData\Local\Temp\AWB.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:1612

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/836-3-0x000000000044CA9E-mapping.dmp

Download
memory/836-4-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/836-5-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1144-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1612-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads