agenttesla | 5a38c1770a9728871ebf9a8a4b7b9e676fe5ace9c9b4a1a5d64f8ae86044fa97

General

Target

cpGoM9vVOEuBvfH.exe
Size

458KB
MD5

e620cb9ccee4b0460a3af37e72e57a9f
SHA1

c38a182b62104ec7bde609ff36a99ca2972da19b
SHA256

5a38c1770a9728871ebf9a8a4b7b9e676fe5ace9c9b4a1a5d64f8ae86044fa97
SHA512

f2f72556fedfe983451b8828a8aafce8b5a9f247466b4ed755a17d16766017623d978a4d1ed65bc657fb10fa48fc84c640d9c67d20731311740cb0defc757436

Score

10^/10

agenttesla evasion keylogger rezer0 spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
v.clemens@slee-de.me
Password:
@mexicod1.,

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1468-47-0x000000000044CBFE-mapping.dmp	family_agenttesla
behavioral1/memory/1468-46-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1468-49-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1468-48-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1056-5-0x0000000004CA0000-0x0000000004CF4000-memory.dmp	rezer0

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cpGoM9vVOEuBvfH.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	cpGoM9vVOEuBvfH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cpGoM9vVOEuBvfH.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cpGoM9vVOEuBvfH.exe

description pid process target process

PID 1056 set thread context of 1468 1056 cpGoM9vVOEuBvfH.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

992 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.execpGoM9vVOEuBvfH.exeRegSvcs.exe

pid process

1552 powershell.exe
1552 powershell.exe
1056 cpGoM9vVOEuBvfH.exe
1056 cpGoM9vVOEuBvfH.exe
1468 RegSvcs.exe
1468 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.execpGoM9vVOEuBvfH.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1552 powershell.exe
Token: SeDebugPrivilege 1056 cpGoM9vVOEuBvfH.exe
Token: SeDebugPrivilege 1468 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

1468 RegSvcs.exe

description	pid	process	target process
PID 1056 set thread context of 1468	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe

pid	process
992	schtasks.exe

pid	process
1552	powershell.exe
1552	powershell.exe
1056	cpGoM9vVOEuBvfH.exe
1056	cpGoM9vVOEuBvfH.exe
1468	RegSvcs.exe
1468	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	1056	cpGoM9vVOEuBvfH.exe
Token: SeDebugPrivilege	1468	RegSvcs.exe

pid	process
1468	RegSvcs.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

cpGoM9vVOEuBvfH.exeRegSvcs.exe

description	pid	process	target process
PID 1056 wrote to memory of 1552	1056	cpGoM9vVOEuBvfH.exe	powershell.exe
PID 1056 wrote to memory of 1552	1056	cpGoM9vVOEuBvfH.exe	powershell.exe
PID 1056 wrote to memory of 1552	1056	cpGoM9vVOEuBvfH.exe	powershell.exe
PID 1056 wrote to memory of 1552	1056	cpGoM9vVOEuBvfH.exe	powershell.exe
PID 1056 wrote to memory of 992	1056	cpGoM9vVOEuBvfH.exe	schtasks.exe
PID 1056 wrote to memory of 992	1056	cpGoM9vVOEuBvfH.exe	schtasks.exe
PID 1056 wrote to memory of 992	1056	cpGoM9vVOEuBvfH.exe	schtasks.exe
PID 1056 wrote to memory of 992	1056	cpGoM9vVOEuBvfH.exe	schtasks.exe
PID 1056 wrote to memory of 1564	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1564	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1564	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1564	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1564	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1564	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1564	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1468	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1468	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1468	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1468	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1468	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1468	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1468	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1468	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1468	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1468	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1468	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1056 wrote to memory of 1468	1056	cpGoM9vVOEuBvfH.exe	RegSvcs.exe
PID 1468 wrote to memory of 1492	1468	RegSvcs.exe	netsh.exe
PID 1468 wrote to memory of 1492	1468	RegSvcs.exe	netsh.exe
PID 1468 wrote to memory of 1492	1468	RegSvcs.exe	netsh.exe
PID 1468 wrote to memory of 1492	1468	RegSvcs.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\cpGoM9vVOEuBvfH.exe
"C:\Users\Admin\AppData\Local\Temp\cpGoM9vVOEuBvfH.exe"
1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WUHNSjEfrxlIU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp59E3.tmp"
2⤵
- Creates scheduled task(s)
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:1492

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp59E3.tmp
MD5
31179c01c252613d7dd42c9be752d17d

SHA1
6063a752027b120e52367104e6cab3d4ce4c5dcd

SHA256
e08b46b9a18b084af535129d0aabe8fcf2d7752434ef913ca72716670c0ced23

SHA512
acd85c0661a27d14e8a823c25eb22bbf0a70f088b27e8d044dbe7a1e17689b6ff66e4b8320f431fef682467d735a6ba43766d337a119f5ea1c7e6d7bcfbe0680

Download Submit
memory/992-44-0x0000000000000000-mapping.dmp

Download
memory/1056-0-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/1056-4-0x00000000040B0000-0x0000000004123000-memory.dmp

Filesize
460KB

Download
memory/1056-5-0x0000000004CA0000-0x0000000004CF4000-memory.dmp

Filesize
336KB

Download
memory/1056-3-0x0000000000420000-0x0000000000423000-memory.dmp

Filesize
12KB

Download
memory/1056-1-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1468-50-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/1468-48-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1468-49-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1468-46-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1468-47-0x000000000044CBFE-mapping.dmp

Download
memory/1492-53-0x0000000000000000-mapping.dmp

Download
memory/1552-7-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/1552-27-0x00000000061D0000-0x00000000061D1000-memory.dmp

Filesize
4KB

Download
memory/1552-28-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/1552-42-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/1552-43-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/1552-20-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/1552-19-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/1552-14-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/1552-11-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1552-10-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/1552-9-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1552-8-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1552-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads