agenttesla | 51558f41331f2345cd146dc9705f48e8a6fdc425e6744658ff2ea53d42d34ae6

General

Target

QUOTE 002242020.exe
Size

2.1MB
MD5

bdbfa33c09b950889d9fc19954f20935
SHA1

d9c6cf2322734d49a1c479ff31d044ccef2f739e
SHA256

51558f41331f2345cd146dc9705f48e8a6fdc425e6744658ff2ea53d42d34ae6
SHA512

5ab3679f6c523a4a5d73678461f5089713b06fde01d59d42e2ca728d7723af01d135eba0737bf1606f105bb0a64573807cc687b8f4ba0666f4678948f1ae6fa7

Score

10^/10

agenttesla evasion keylogger persistence rezer0 spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.parshavayealborz.com
Port:
587
Username:
info@parshavayealborz.com
Password:
P@rshava123456

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4036-21-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral2/memory/4036-22-0x000000000044C43E-mapping.dmp	family_agenttesla
behavioral2/memory/4036-33-0x000000000044C43E-mapping.dmp	family_agenttesla
behavioral2/memory/4036-32-0x000000000044C43E-mapping.dmp	family_agenttesla
behavioral2/memory/4036-35-0x000000000044C43E-mapping.dmp	family_agenttesla
behavioral2/memory/4036-34-0x000000000044C43E-mapping.dmp	family_agenttesla
behavioral2/memory/4036-36-0x000000000044C43E-mapping.dmp	family_agenttesla
behavioral2/memory/4036-37-0x000000000044C43E-mapping.dmp	family_agenttesla
behavioral2/memory/4036-38-0x000000000044C43E-mapping.dmp	family_agenttesla
behavioral2/memory/4036-39-0x000000000044C43E-mapping.dmp	family_agenttesla
behavioral2/memory/4036-41-0x000000000044C43E-mapping.dmp	family_agenttesla
behavioral2/memory/4036-42-0x000000000044C43E-mapping.dmp	family_agenttesla
behavioral2/memory/4036-40-0x000000000044C43E-mapping.dmp	family_agenttesla

rezer0 2 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/4068-6-0x00000000088C0000-0x0000000008A74000-memory.dmp	rezer0
behavioral2/memory/3100-16-0x0000000008450000-0x00000000085CB000-memory.dmp	rezer0

Disables Task Manager via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

MSBuild.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts MSBuild.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	MSBuild.exe

Drops startup file 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReAgentc.url	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe"	MSBuild.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

QUOTE 002242020.exeRegSvcs.exeRegSvcs.exe

description	pid	process	target process
PID 4068 set thread context of 3100	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 3100 set thread context of 2132	3100	RegSvcs.exe	RegSvcs.exe
PID 2132 set thread context of 4036	2132	RegSvcs.exe	MSBuild.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3696 4036 WerFault.exe MSBuild.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

2612 REG.exe

pid	pid_target	process	target process
3696	4036	WerFault.exe	MSBuild.exe

pid	process
2612	REG.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

QUOTE 002242020.exeRegSvcs.exeMSBuild.exeRegSvcs.exeWerFault.exe

pid	process
4068	QUOTE 002242020.exe
4068	QUOTE 002242020.exe
4068	QUOTE 002242020.exe
4068	QUOTE 002242020.exe
3100	RegSvcs.exe
3100	RegSvcs.exe
4036	MSBuild.exe
4036	MSBuild.exe
2132	RegSvcs.exe
2132	RegSvcs.exe
2132	RegSvcs.exe
2132	RegSvcs.exe
2132	RegSvcs.exe
2132	RegSvcs.exe
3696	WerFault.exe
3696	WerFault.exe
3696	WerFault.exe
3696	WerFault.exe
3696	WerFault.exe
3696	WerFault.exe
3696	WerFault.exe
3696	WerFault.exe
3696	WerFault.exe
3696	WerFault.exe
3696	WerFault.exe
3696	WerFault.exe
3696	WerFault.exe
3696	WerFault.exe
2132	RegSvcs.exe
2132	RegSvcs.exe
2132	RegSvcs.exe
2132	RegSvcs.exe
2132	RegSvcs.exe
2132	RegSvcs.exe
2132	RegSvcs.exe
2132	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

QUOTE 002242020.exeRegSvcs.exeMSBuild.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4068	QUOTE 002242020.exe
Token: SeDebugPrivilege	3100	RegSvcs.exe
Token: SeDebugPrivilege	4036	MSBuild.exe
Token: SeRestorePrivilege	3696	WerFault.exe
Token: SeBackupPrivilege	3696	WerFault.exe
Token: SeDebugPrivilege	3696	WerFault.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

RegSvcs.exe

pid process

2132 RegSvcs.exe
2132 RegSvcs.exe
2132 RegSvcs.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

RegSvcs.exe

pid process

2132 RegSvcs.exe
2132 RegSvcs.exe
2132 RegSvcs.exe

pid	process
2132	RegSvcs.exe
2132	RegSvcs.exe
2132	RegSvcs.exe

pid	process
2132	RegSvcs.exe
2132	RegSvcs.exe
2132	RegSvcs.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

QUOTE 002242020.exeRegSvcs.exeRegSvcs.exeMSBuild.exe

description	pid	process	target process
PID 4068 wrote to memory of 2644	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 4068 wrote to memory of 2644	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 4068 wrote to memory of 2644	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 4068 wrote to memory of 1864	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 4068 wrote to memory of 1864	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 4068 wrote to memory of 1864	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 4068 wrote to memory of 3100	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 4068 wrote to memory of 3100	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 4068 wrote to memory of 3100	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 4068 wrote to memory of 3100	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 4068 wrote to memory of 3100	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 4068 wrote to memory of 3100	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 4068 wrote to memory of 3100	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 4068 wrote to memory of 3100	4068	QUOTE 002242020.exe	RegSvcs.exe
PID 3100 wrote to memory of 3156	3100	RegSvcs.exe	RegSvcs.exe
PID 3100 wrote to memory of 3156	3100	RegSvcs.exe	RegSvcs.exe
PID 3100 wrote to memory of 3156	3100	RegSvcs.exe	RegSvcs.exe
PID 3100 wrote to memory of 2132	3100	RegSvcs.exe	RegSvcs.exe
PID 3100 wrote to memory of 2132	3100	RegSvcs.exe	RegSvcs.exe
PID 3100 wrote to memory of 2132	3100	RegSvcs.exe	RegSvcs.exe
PID 3100 wrote to memory of 2132	3100	RegSvcs.exe	RegSvcs.exe
PID 3100 wrote to memory of 2132	3100	RegSvcs.exe	RegSvcs.exe
PID 3100 wrote to memory of 2132	3100	RegSvcs.exe	RegSvcs.exe
PID 3100 wrote to memory of 2132	3100	RegSvcs.exe	RegSvcs.exe
PID 3100 wrote to memory of 2132	3100	RegSvcs.exe	RegSvcs.exe
PID 3100 wrote to memory of 2132	3100	RegSvcs.exe	RegSvcs.exe
PID 3100 wrote to memory of 2132	3100	RegSvcs.exe	RegSvcs.exe
PID 2132 wrote to memory of 4036	2132	RegSvcs.exe	MSBuild.exe
PID 2132 wrote to memory of 4036	2132	RegSvcs.exe	MSBuild.exe
PID 2132 wrote to memory of 4036	2132	RegSvcs.exe	MSBuild.exe
PID 2132 wrote to memory of 4036	2132	RegSvcs.exe	MSBuild.exe
PID 2132 wrote to memory of 4036	2132	RegSvcs.exe	MSBuild.exe
PID 4036 wrote to memory of 2612	4036	MSBuild.exe	REG.exe
PID 4036 wrote to memory of 2612	4036	MSBuild.exe	REG.exe
PID 4036 wrote to memory of 2612	4036	MSBuild.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\QUOTE 002242020.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE 002242020.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
PID:3156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
4⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
5⤵
- Modifies registry key
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1472
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2132-20-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2132-19-0x000000000042800A-mapping.dmp

Download
memory/2132-18-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2612-30-0x0000000000000000-mapping.dmp

Download
memory/3100-16-0x0000000008450000-0x00000000085CB000-memory.dmp

Filesize
1.5MB

Download
memory/3100-8-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/3100-9-0x00000000005AD5E6-mapping.dmp

Download
memory/3100-10-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/3100-14-0x0000000002E60000-0x0000000002E6B000-memory.dmp

Filesize
44KB

Download
memory/3696-43-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/3696-31-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/4036-22-0x000000000044C43E-mapping.dmp

Download
memory/4036-36-0x000000000044C43E-mapping.dmp

Download
memory/4036-40-0x000000000044C43E-mapping.dmp

Download
memory/4036-42-0x000000000044C43E-mapping.dmp

Download
memory/4036-21-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4036-41-0x000000000044C43E-mapping.dmp

Download
memory/4036-23-0x0000000073780000-0x0000000073E6E000-memory.dmp

Filesize
6.9MB

Download
memory/4036-24-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/4036-28-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/4036-29-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/4036-39-0x000000000044C43E-mapping.dmp

Download
memory/4036-38-0x000000000044C43E-mapping.dmp

Download
memory/4036-33-0x000000000044C43E-mapping.dmp

Download
memory/4036-32-0x000000000044C43E-mapping.dmp

Download
memory/4036-35-0x000000000044C43E-mapping.dmp

Download
memory/4036-34-0x000000000044C43E-mapping.dmp

Download
memory/4036-37-0x000000000044C43E-mapping.dmp

Download
memory/4068-7-0x0000000008F80000-0x0000000008F81000-memory.dmp

Filesize
4KB

Download
memory/4068-3-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/4068-4-0x0000000005940000-0x000000000594F000-memory.dmp

Filesize
60KB

Download
memory/4068-0-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/4068-5-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/4068-6-0x00000000088C0000-0x0000000008A74000-memory.dmp

Filesize
1.7MB

Download
memory/4068-1-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads