agenttesla | e909cbf5a12f8309b93746f877cb4cdf0b8a41d07c4b2badbf917748679213d2

General

Target

H8pkkXDMNSesvys.exe
Size

524KB
MD5

876593a2d1bede193fcc3ef81b5eef4e
SHA1

5ad79510851f743bb4be257e36a6a0729c5679d3
SHA256

e909cbf5a12f8309b93746f877cb4cdf0b8a41d07c4b2badbf917748679213d2
SHA512

1290c80cbd1b81bd3cb845160ee0e513cf186355a5fa4bd91dc02b4ca2cf8a5b06ff31d7db1ca7f9add5062ee92bf52a77f9a56be01f872b10e9b49d3f64af98

Score

10^/10

agenttesla coreentity keylogger rezer0 spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
uz@cairoways.me
Password:
09012345@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/1664-5-0x0000000000300000-0x0000000000303000-memory.dmp	coreentity

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1556-10-0x000000000044C63E-mapping.dmp	family_agenttesla
behavioral1/memory/1556-9-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1556-11-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1556-12-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1664-6-0x00000000011A0000-0x00000000011F3000-memory.dmp	rezer0

Suspicious use of SetThreadContext 1 IoCs

Processes:

H8pkkXDMNSesvys.exe

description pid process target process

PID 1664 set thread context of 1556 1664 H8pkkXDMNSesvys.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1728 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

1556 RegSvcs.exe
1556 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

H8pkkXDMNSesvys.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1664 H8pkkXDMNSesvys.exe
Token: SeDebugPrivilege 1556 RegSvcs.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

H8pkkXDMNSesvys.exeRegSvcs.exe

pid process

1664 H8pkkXDMNSesvys.exe
1664 H8pkkXDMNSesvys.exe
1556 RegSvcs.exe

description	pid	process	target process
PID 1664 set thread context of 1556	1664	H8pkkXDMNSesvys.exe	RegSvcs.exe

pid	process
1728	schtasks.exe

pid	process
1556	RegSvcs.exe
1556	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1664	H8pkkXDMNSesvys.exe
Token: SeDebugPrivilege	1556	RegSvcs.exe

pid	process
1664	H8pkkXDMNSesvys.exe
1664	H8pkkXDMNSesvys.exe
1556	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

H8pkkXDMNSesvys.exeRegSvcs.exe

description	pid	process	target process
PID 1664 wrote to memory of 1728	1664	H8pkkXDMNSesvys.exe	schtasks.exe
PID 1664 wrote to memory of 1728	1664	H8pkkXDMNSesvys.exe	schtasks.exe
PID 1664 wrote to memory of 1728	1664	H8pkkXDMNSesvys.exe	schtasks.exe
PID 1664 wrote to memory of 1728	1664	H8pkkXDMNSesvys.exe	schtasks.exe
PID 1664 wrote to memory of 1556	1664	H8pkkXDMNSesvys.exe	RegSvcs.exe
PID 1664 wrote to memory of 1556	1664	H8pkkXDMNSesvys.exe	RegSvcs.exe
PID 1664 wrote to memory of 1556	1664	H8pkkXDMNSesvys.exe	RegSvcs.exe
PID 1664 wrote to memory of 1556	1664	H8pkkXDMNSesvys.exe	RegSvcs.exe
PID 1664 wrote to memory of 1556	1664	H8pkkXDMNSesvys.exe	RegSvcs.exe
PID 1664 wrote to memory of 1556	1664	H8pkkXDMNSesvys.exe	RegSvcs.exe
PID 1664 wrote to memory of 1556	1664	H8pkkXDMNSesvys.exe	RegSvcs.exe
PID 1664 wrote to memory of 1556	1664	H8pkkXDMNSesvys.exe	RegSvcs.exe
PID 1664 wrote to memory of 1556	1664	H8pkkXDMNSesvys.exe	RegSvcs.exe
PID 1664 wrote to memory of 1556	1664	H8pkkXDMNSesvys.exe	RegSvcs.exe
PID 1664 wrote to memory of 1556	1664	H8pkkXDMNSesvys.exe	RegSvcs.exe
PID 1664 wrote to memory of 1556	1664	H8pkkXDMNSesvys.exe	RegSvcs.exe
PID 1556 wrote to memory of 1168	1556	RegSvcs.exe	netsh.exe
PID 1556 wrote to memory of 1168	1556	RegSvcs.exe	netsh.exe
PID 1556 wrote to memory of 1168	1556	RegSvcs.exe	netsh.exe
PID 1556 wrote to memory of 1168	1556	RegSvcs.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\H8pkkXDMNSesvys.exe
"C:\Users\Admin\AppData\Local\Temp\H8pkkXDMNSesvys.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WQObBcOAIj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E63.tmp"
2⤵
- Creates scheduled task(s)
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7E63.tmp
MD5
862e59439ef39b32fc2bce72b9d9b88a

SHA1
999e493e1412e706180c608817d6f4ba97ae1941

SHA256
0f2fd15e2cda356a86674603afe7b442895997704fd76dd48261c8898b9d393a

SHA512
0956641b2ae58fbc4a6d522cfdecd033f5025d33b49fdb1346a6b1be97e536b093c31a0a5d3afd9d4b4d9581daadf5a8db5f89a63916432f75945a3856ca56c9

Download Submit
memory/868-4-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmp

Filesize
2.5MB

Download
memory/1168-16-0x0000000000000000-mapping.dmp

Download
memory/1556-9-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1556-10-0x000000000044C63E-mapping.dmp

Download
memory/1556-11-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1556-12-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1556-13-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/1664-5-0x0000000000300000-0x0000000000303000-memory.dmp

Filesize
12KB

Download
memory/1664-6-0x00000000011A0000-0x00000000011F3000-memory.dmp

Filesize
332KB

Download
memory/1664-3-0x0000000000480000-0x00000000004D8000-memory.dmp

Filesize
352KB

Download
memory/1664-0-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/1664-1-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/1728-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads