agenttesla | 328449250e95af61e5e92254665d4c1a43d835482cd2d159c1e8a08a1ad8c725

Analysis

max time kernel
38s
max time network
104s
platform
windows7_x64
resource
win7v20201028
submitted
24-11-2020 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe
Size

590KB
MD5

6611edb58235884e8499d12cdfa808be
SHA1

7d1f2d13c59930dbb8e2547f3748215da9f20ee9
SHA256

a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d
SHA512

283769a041c725cfca6501b47979d8a51695535f701dca45d0c444a5e0d903e40a19ca98adc26f54998f2a4c27b9772bd821196c19f2b6ba485c837d79c803c2

Score

10^/10

agenttesla redline discovery infostealer keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

AgentTesla Payload 4 IoCs

keylogger stealer

Processes:

resource	yara_rule
behavioral13/memory/868-10-0x0000000000400000-0x0000000000426000-memory.dmp	agent_tesla
behavioral13/memory/868-11-0x000000000042040E-mapping.dmp	agent_tesla
behavioral13/memory/868-13-0x0000000000400000-0x0000000000426000-memory.dmp	agent_tesla
behavioral13/memory/868-14-0x0000000000400000-0x0000000000426000-memory.dmp	agent_tesla

Executes dropped EXE 3 IoCs

Processes:

BubbleBrowser.exeBubbleBrowser.exeBubbleBrowser.exe

pid process

1532 BubbleBrowser.exe
544 BubbleBrowser.exe
868 BubbleBrowser.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 checkip.amazonaws.com

pid	process
1532	BubbleBrowser.exe
544	BubbleBrowser.exe
868	BubbleBrowser.exe

flow	ioc
19	checkip.amazonaws.com

Modifies service 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

BubbleBrowser.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ASP.NET_4.0.30319\Names\e7zeFS5HxNsTpdXMr5DJXBqXQczNkbu649p1gca3Uj45R6oqE8FAflup0QDJGbLritV7GnywGZmIBovHWFlH4VKawyYj8etBOOSnT2SUCRwCKVPvjpc15l = "868"	BubbleBrowser.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

BubbleBrowser.exe

description pid process target process

PID 1532 set thread context of 868 1532 BubbleBrowser.exe BubbleBrowser.exe

description	pid	process	target process
PID 1532 set thread context of 868	1532	BubbleBrowser.exe	BubbleBrowser.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

816 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

BubbleBrowser.exeBubbleBrowser.exe

pid process

1532 BubbleBrowser.exe
1532 BubbleBrowser.exe
868 BubbleBrowser.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

BubbleBrowser.exeBubbleBrowser.exe

description pid process

Token: SeDebugPrivilege 1532 BubbleBrowser.exe
Token: SeDebugPrivilege 868 BubbleBrowser.exe

pid	process
816	PING.EXE

pid	process
1532	BubbleBrowser.exe
1532	BubbleBrowser.exe
868	BubbleBrowser.exe

description	pid	process
Token: SeDebugPrivilege	1532	BubbleBrowser.exe
Token: SeDebugPrivilege	868	BubbleBrowser.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exeBubbleBrowser.exeBubbleBrowser.execmd.exe

description	pid	process	target process
PID 1744 wrote to memory of 1532	1744	a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe	BubbleBrowser.exe
PID 1744 wrote to memory of 1532	1744	a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe	BubbleBrowser.exe
PID 1744 wrote to memory of 1532	1744	a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe	BubbleBrowser.exe
PID 1744 wrote to memory of 1532	1744	a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe	BubbleBrowser.exe
PID 1532 wrote to memory of 544	1532	BubbleBrowser.exe	BubbleBrowser.exe
PID 1532 wrote to memory of 544	1532	BubbleBrowser.exe	BubbleBrowser.exe
PID 1532 wrote to memory of 544	1532	BubbleBrowser.exe	BubbleBrowser.exe
PID 1532 wrote to memory of 544	1532	BubbleBrowser.exe	BubbleBrowser.exe
PID 1532 wrote to memory of 868	1532	BubbleBrowser.exe	BubbleBrowser.exe
PID 1532 wrote to memory of 868	1532	BubbleBrowser.exe	BubbleBrowser.exe
PID 1532 wrote to memory of 868	1532	BubbleBrowser.exe	BubbleBrowser.exe
PID 1532 wrote to memory of 868	1532	BubbleBrowser.exe	BubbleBrowser.exe
PID 1532 wrote to memory of 868	1532	BubbleBrowser.exe	BubbleBrowser.exe
PID 1532 wrote to memory of 868	1532	BubbleBrowser.exe	BubbleBrowser.exe
PID 1532 wrote to memory of 868	1532	BubbleBrowser.exe	BubbleBrowser.exe
PID 1532 wrote to memory of 868	1532	BubbleBrowser.exe	BubbleBrowser.exe
PID 1532 wrote to memory of 868	1532	BubbleBrowser.exe	BubbleBrowser.exe
PID 868 wrote to memory of 1576	868	BubbleBrowser.exe	cmd.exe
PID 868 wrote to memory of 1576	868	BubbleBrowser.exe	cmd.exe
PID 868 wrote to memory of 1576	868	BubbleBrowser.exe	cmd.exe
PID 868 wrote to memory of 1576	868	BubbleBrowser.exe	cmd.exe
PID 1576 wrote to memory of 816	1576	cmd.exe	PING.EXE
PID 1576 wrote to memory of 816	1576	cmd.exe	PING.EXE
PID 1576 wrote to memory of 816	1576	cmd.exe	PING.EXE
PID 1576 wrote to memory of 816	1576	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe
"C:\Users\Admin\AppData\Local\Temp\a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe
C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe daut
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe
"C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe"
3⤵
- Executes dropped EXE
PID:544

C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe
"C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe"
3⤵
- Executes dropped EXE
- Modifies service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe
MD5
11d71c92fb114168431892a73963cb15

SHA1
6467448f5b6dfb4f0cd77e218e6e4bfbe8a61696

SHA256
18f4e6a6483a5684d61942d56cc20abc1ed690aa03910c9a3ebe24e71da8cf94

SHA512
e3d2b822acf17d3c63e1efad5ef2dfc5ff3a2fdbed9a1b3791e1175fc674f62c0be2ef618d0a4a36e4e5c96c5399a3d53e0e3c0102b2a9324aa30641d301e6be

Download Submit
C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe
MD5
11d71c92fb114168431892a73963cb15

SHA1
6467448f5b6dfb4f0cd77e218e6e4bfbe8a61696

SHA256
18f4e6a6483a5684d61942d56cc20abc1ed690aa03910c9a3ebe24e71da8cf94

SHA512
e3d2b822acf17d3c63e1efad5ef2dfc5ff3a2fdbed9a1b3791e1175fc674f62c0be2ef618d0a4a36e4e5c96c5399a3d53e0e3c0102b2a9324aa30641d301e6be

Download Submit
C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe
MD5
11d71c92fb114168431892a73963cb15

SHA1
6467448f5b6dfb4f0cd77e218e6e4bfbe8a61696

SHA256
18f4e6a6483a5684d61942d56cc20abc1ed690aa03910c9a3ebe24e71da8cf94

SHA512
e3d2b822acf17d3c63e1efad5ef2dfc5ff3a2fdbed9a1b3791e1175fc674f62c0be2ef618d0a4a36e4e5c96c5399a3d53e0e3c0102b2a9324aa30641d301e6be

Download Submit
C:\Users\Admin\AppData\Roaming\BubbleBrowser.exe
MD5
11d71c92fb114168431892a73963cb15

SHA1
6467448f5b6dfb4f0cd77e218e6e4bfbe8a61696

SHA256
18f4e6a6483a5684d61942d56cc20abc1ed690aa03910c9a3ebe24e71da8cf94

SHA512
e3d2b822acf17d3c63e1efad5ef2dfc5ff3a2fdbed9a1b3791e1175fc674f62c0be2ef618d0a4a36e4e5c96c5399a3d53e0e3c0102b2a9324aa30641d301e6be

Download Submit
memory/816-19-0x0000000000000000-mapping.dmp

Download
memory/868-14-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/868-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/868-11-0x000000000042040E-mapping.dmp

Download
memory/868-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/868-15-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/1532-7-0x0000000002150000-0x000000000218C000-memory.dmp

Filesize
240KB

Download
memory/1532-8-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/1532-1-0x0000000000000000-mapping.dmp

Download
memory/1532-4-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/1532-5-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1576-18-0x0000000000000000-mapping.dmp

Download
memory/1808-0-0x000007FEF5BD0000-0x000007FEF5E4A000-memory.dmp

Filesize
2.5MB

Download