agenttesla | 52d815927044f076244cd3c57b5ac83b3354750b9e4a062471c9e6ed87e2adcc

Analysis

max time kernel
111s
max time network
113s
platform
windows10_x64
resource
win10v20201028
submitted
26-11-2020 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order 51897.exe
Size

142KB
MD5

a91e329eddf0be4953e2a6e8900f0c0b
SHA1

b3883a90173d28154794ac430fec790716bcc0cb
SHA256

52d815927044f076244cd3c57b5ac83b3354750b9e4a062471c9e6ed87e2adcc
SHA512

9aa58e2886efc37a26129ac123a4604a31c4c46f29c10d875acd472960f04148aaa0d2bc1c21c1c731d9b704945b6dd7b31052b083118bdfd2cba51132eb3fce

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.gayaceramic.com
Port:
587
Username:
info@gayaceramic.com
Password:
2019gaya

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Order 51897.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Order 51897.exe\""	Order 51897.exe

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2344-47-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2344-48-0x000000000043766E-mapping.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Order 51897.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Order 51897.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Order 51897.exe

Drops startup file 2 IoCs

Processes:

Order 51897.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order 51897.exe	Order 51897.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order 51897.exe	Order 51897.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Order 51897.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	Order 51897.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	Order 51897.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Order 51897.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Order 51897.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order 51897.exe = "0"	Order 51897.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Order 51897.exe = "0"	Order 51897.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	Order 51897.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	Order 51897.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Order 51897.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Order 51897.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Order 51897.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Order 51897.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Order 51897.exe"	Order 51897.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Order 51897.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Order 51897.exe"	Order 51897.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.ipify.org
19 api.ipify.org

flow	ioc
18	api.ipify.org
19	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Order 51897.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Order 51897.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Order 51897.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Order 51897.exe

description pid process target process

PID 4076 set thread context of 2344 4076 Order 51897.exe Order 51897.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2688 timeout.exe

description	pid	process	target process
PID 4076 set thread context of 2344	4076	Order 51897.exe	Order 51897.exe

pid	process
2688	timeout.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeOrder 51897.exe

pid	process
2116	powershell.exe
3900	powershell.exe
1408	powershell.exe
2800	powershell.exe
1408	powershell.exe
3900	powershell.exe
2116	powershell.exe
2800	powershell.exe
2344	Order 51897.exe
2344	Order 51897.exe
2116	powershell.exe
2800	powershell.exe
1408	powershell.exe
3900	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Order 51897.exepowershell.exepowershell.exepowershell.exepowershell.exeOrder 51897.exe

description	pid	process
Token: SeDebugPrivilege	4076	Order 51897.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2344	Order 51897.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Order 51897.exe

description	pid	process	target process
PID 4076 wrote to memory of 2688	4076	Order 51897.exe	timeout.exe
PID 4076 wrote to memory of 2688	4076	Order 51897.exe	timeout.exe
PID 4076 wrote to memory of 2688	4076	Order 51897.exe	timeout.exe
PID 4076 wrote to memory of 2116	4076	Order 51897.exe	powershell.exe
PID 4076 wrote to memory of 2116	4076	Order 51897.exe	powershell.exe
PID 4076 wrote to memory of 2116	4076	Order 51897.exe	powershell.exe
PID 4076 wrote to memory of 1408	4076	Order 51897.exe	powershell.exe
PID 4076 wrote to memory of 1408	4076	Order 51897.exe	powershell.exe
PID 4076 wrote to memory of 1408	4076	Order 51897.exe	powershell.exe
PID 4076 wrote to memory of 3900	4076	Order 51897.exe	powershell.exe
PID 4076 wrote to memory of 3900	4076	Order 51897.exe	powershell.exe
PID 4076 wrote to memory of 3900	4076	Order 51897.exe	powershell.exe
PID 4076 wrote to memory of 2800	4076	Order 51897.exe	powershell.exe
PID 4076 wrote to memory of 2800	4076	Order 51897.exe	powershell.exe
PID 4076 wrote to memory of 2800	4076	Order 51897.exe	powershell.exe
PID 4076 wrote to memory of 2344	4076	Order 51897.exe	Order 51897.exe
PID 4076 wrote to memory of 2344	4076	Order 51897.exe	Order 51897.exe
PID 4076 wrote to memory of 2344	4076	Order 51897.exe	Order 51897.exe
PID 4076 wrote to memory of 2344	4076	Order 51897.exe	Order 51897.exe
PID 4076 wrote to memory of 2344	4076	Order 51897.exe	Order 51897.exe
PID 4076 wrote to memory of 2344	4076	Order 51897.exe	Order 51897.exe
PID 4076 wrote to memory of 2344	4076	Order 51897.exe	Order 51897.exe
PID 4076 wrote to memory of 2344	4076	Order 51897.exe	Order 51897.exe

C:\Users\Admin\AppData\Local\Temp\Order 51897.exe
"C:\Users\Admin\AppData\Local\Temp\Order 51897.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\timeout.exe
timeout 4
2⤵
- Delays execution with timeout.exe
PID:2688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order 51897.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order 51897.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order 51897.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order 51897.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Users\Admin\AppData\Local\Temp\Order 51897.exe
"C:\Users\Admin\AppData\Local\Temp\Order 51897.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order 51897.exe.log
MD5
de3a13c65a9f2959fd96be7eefdb8f20

SHA1
593b8d995f65152f5d8ee2d30b47953c1e366a2a

SHA256
524d5bdfd5fa0ce543b94795c2937e48dd8ececb5debd2792751e2ab476cdaa2

SHA512
9419178be24f4f30f441e72757d8c455969e796078143f8148705e9ae900cf421acd481a27e41365d1f1d221c4195224799535195b5a45c7583e392fa0de4eb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
676c15145292e85f991348a81a3f2aca

SHA1
8740d72835afb0f50c350f2dc06be644a990632f

SHA256
60ac563537d737ddcc1932431dcac953466b2beb1ec9657fabb68a3aa8f93f3f

SHA512
bfb6a27082d9749e901cf7b800de3099e5559474e43b09857798f7c539a1e56e46bf22d61a406fc58e81f19875c70ef1dea93278235586f0e1a0da5cd8a3beeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
676c15145292e85f991348a81a3f2aca

SHA1
8740d72835afb0f50c350f2dc06be644a990632f

SHA256
60ac563537d737ddcc1932431dcac953466b2beb1ec9657fabb68a3aa8f93f3f

SHA512
bfb6a27082d9749e901cf7b800de3099e5559474e43b09857798f7c539a1e56e46bf22d61a406fc58e81f19875c70ef1dea93278235586f0e1a0da5cd8a3beeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3c9ec74ef964e94707131d6676dae1e0

SHA1
d1aebcd8042c85ca44c71477fcb62d5f4f0d112c

SHA256
9854733919e758ef682883109564a3c3366e1d1ab920b56e1b96ffdfcf4b2f4f

SHA512
eb20bcc7e1c34a68b78f4823bce647ebe1fb7edffaec5dc28365f8fa060ebaf210497b1c64ceeefd286bde97584ec2a8f4bd3b1b330a2b6478cff7b4fd79c36b

Download Submit
memory/1408-8-0x0000000000000000-mapping.dmp

Download
memory/1408-12-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-15-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/2116-89-0x0000000008DB0000-0x0000000008DB1000-memory.dmp

Filesize
4KB

Download
memory/2116-39-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/2116-23-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/2116-11-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-84-0x0000000008C50000-0x0000000008C51000-memory.dmp

Filesize
4KB

Download
memory/2116-13-0x0000000006770000-0x0000000006771000-memory.dmp

Filesize
4KB

Download
memory/2116-7-0x0000000000000000-mapping.dmp

Download
memory/2344-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2344-125-0x0000000006680000-0x0000000006681000-memory.dmp

Filesize
4KB

Download
memory/2344-119-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/2344-50-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/2344-126-0x0000000005F30000-0x0000000005F31000-memory.dmp

Filesize
4KB

Download
memory/2344-48-0x000000000043766E-mapping.dmp

Download
memory/2688-3-0x0000000000000000-mapping.dmp

Download
memory/2800-10-0x0000000000000000-mapping.dmp

Download
memory/2800-18-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/2800-111-0x0000000009510000-0x0000000009511000-memory.dmp

Filesize
4KB

Download
memory/2800-103-0x0000000009520000-0x0000000009521000-memory.dmp

Filesize
4KB

Download
memory/2800-99-0x0000000009570000-0x0000000009571000-memory.dmp

Filesize
4KB

Download
memory/2800-43-0x00000000084B0000-0x00000000084B1000-memory.dmp

Filesize
4KB

Download
memory/3900-61-0x0000000008AB0000-0x0000000008AE3000-memory.dmp

Filesize
204KB

Download
memory/3900-16-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/3900-55-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/3900-26-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

Filesize
4KB

Download
memory/3900-32-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/3900-9-0x0000000000000000-mapping.dmp

Download
memory/4076-0-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/4076-6-0x0000000009480000-0x0000000009481000-memory.dmp

Filesize
4KB

Download
memory/4076-5-0x0000000009910000-0x0000000009911000-memory.dmp

Filesize
4KB

Download
memory/4076-4-0x0000000007090000-0x000000000719C000-memory.dmp

Filesize
1.0MB

Download
memory/4076-2-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/4076-1-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download