agenttesla | 614f64c6f6fb4e6a6bdb91333773972139b112937bff6a22e19c9a5d283b8097

General

Target

090008000000000000.exe
Size

1.2MB
MD5

4c7fe9c4af3c08960d1490c0ba409694
SHA1

67b090a0aab7e6452d4fba12f2d625e276402096
SHA256

614f64c6f6fb4e6a6bdb91333773972139b112937bff6a22e19c9a5d283b8097
SHA512

a5d70d3958b0979f39d2417cdfb26de1aac81482d48151310fa8cf99ad0d7ddeb83f1812ac611debd7ee052adb7bd109d5828e09a2fd765be2dbf5e35a3889a6

Score

10^/10

agenttesla matiex snakekeylogger keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
srvc13.turhost.com
Port:
587
Username:
info@bilgitekdagitim.com
Password:
italik2015

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
srvc13.turhost.com
Port:
587
Username:
info@bilgitekdagitim.com
Password:
italik2015

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
srvc13.turhost.com
Port:
587
Username:
info@bilgitekdagitim.com
Password:
italik2015

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2736-24-0x0000000000400000-0x000000000050C000-memory.dmp	family_matiex
behavioral2/memory/2736-25-0x000000000040104C-mapping.dmp	family_matiex
C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exe	family_matiex
C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exe	family_matiex

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2736-24-0x0000000000400000-0x000000000050C000-memory.dmp	family_snakekeylogger
behavioral2/memory/2736-25-0x000000000040104C-mapping.dmp	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\bilgi snake 2021.exe	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\bilgi snake 2021.exe	family_snakekeylogger

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2736-24-0x0000000000400000-0x000000000050C000-memory.dmp	family_agenttesla
behavioral2/memory/2736-25-0x000000000040104C-mapping.dmp	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\4.0.exe	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\4.0.exe	family_agenttesla

Executes dropped EXE 3 IoCs

Processes:

4.0.exebilgi snake 2021.exeMATIEX GODISOD 4.0 .exe

pid process

2980 4.0.exe
1060 bilgi snake 2021.exe
1020 MATIEX GODISOD 4.0 .exe

pid	process
2980	4.0.exe
1060	bilgi snake 2021.exe
1020	MATIEX GODISOD 4.0 .exe

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe	Powershell.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 api.ipify.org
8 checkip.dyndns.org
11 freegeoip.app
12 freegeoip.app
15 freegeoip.app
27 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

090008000000000000.exe

description pid process target process

PID 988 set thread context of 2736 988 090008000000000000.exe InstallUtil.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Powershell.exe4.0.exebilgi snake 2021.exeMATIEX GODISOD 4.0 .exe

pid process

3548 Powershell.exe
3548 Powershell.exe
2980 4.0.exe
2980 4.0.exe
1060 bilgi snake 2021.exe
3548 Powershell.exe
1020 MATIEX GODISOD 4.0 .exe

flow	ioc
28	api.ipify.org
8	checkip.dyndns.org
11	freegeoip.app
12	freegeoip.app
15	freegeoip.app
27	api.ipify.org

description	pid	process	target process
PID 988 set thread context of 2736	988	090008000000000000.exe	InstallUtil.exe

pid	process
3548	Powershell.exe
3548	Powershell.exe
2980	4.0.exe
2980	4.0.exe
1060	bilgi snake 2021.exe
3548	Powershell.exe
1020	MATIEX GODISOD 4.0 .exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Powershell.exe4.0.exebilgi snake 2021.exeMATIEX GODISOD 4.0 .exe

description	pid	process
Token: SeDebugPrivilege	3548	Powershell.exe
Token: SeDebugPrivilege	2980	4.0.exe
Token: SeDebugPrivilege	1060	bilgi snake 2021.exe
Token: SeDebugPrivilege	1020	MATIEX GODISOD 4.0 .exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

2736 InstallUtil.exe

pid	process
2736	InstallUtil.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

090008000000000000.exeInstallUtil.exeMATIEX GODISOD 4.0 .exe

description	pid	process	target process
PID 988 wrote to memory of 3548	988	090008000000000000.exe	Powershell.exe
PID 988 wrote to memory of 3548	988	090008000000000000.exe	Powershell.exe
PID 988 wrote to memory of 3548	988	090008000000000000.exe	Powershell.exe
PID 988 wrote to memory of 2736	988	090008000000000000.exe	InstallUtil.exe
PID 988 wrote to memory of 2736	988	090008000000000000.exe	InstallUtil.exe
PID 988 wrote to memory of 2736	988	090008000000000000.exe	InstallUtil.exe
PID 988 wrote to memory of 2736	988	090008000000000000.exe	InstallUtil.exe
PID 988 wrote to memory of 2736	988	090008000000000000.exe	InstallUtil.exe
PID 988 wrote to memory of 2736	988	090008000000000000.exe	InstallUtil.exe
PID 988 wrote to memory of 2736	988	090008000000000000.exe	InstallUtil.exe
PID 2736 wrote to memory of 2980	2736	InstallUtil.exe	4.0.exe
PID 2736 wrote to memory of 2980	2736	InstallUtil.exe	4.0.exe
PID 2736 wrote to memory of 2980	2736	InstallUtil.exe	4.0.exe
PID 2736 wrote to memory of 1060	2736	InstallUtil.exe	bilgi snake 2021.exe
PID 2736 wrote to memory of 1060	2736	InstallUtil.exe	bilgi snake 2021.exe
PID 2736 wrote to memory of 1060	2736	InstallUtil.exe	bilgi snake 2021.exe
PID 2736 wrote to memory of 1020	2736	InstallUtil.exe	MATIEX GODISOD 4.0 .exe
PID 2736 wrote to memory of 1020	2736	InstallUtil.exe	MATIEX GODISOD 4.0 .exe
PID 2736 wrote to memory of 1020	2736	InstallUtil.exe	MATIEX GODISOD 4.0 .exe
PID 1020 wrote to memory of 2236	1020	MATIEX GODISOD 4.0 .exe	netsh.exe
PID 1020 wrote to memory of 2236	1020	MATIEX GODISOD 4.0 .exe	netsh.exe
PID 1020 wrote to memory of 2236	1020	MATIEX GODISOD 4.0 .exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\090008000000000000.exe
"C:\Users\Admin\AppData\Local\Temp\090008000000000000.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\090008000000000000.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\4.0.exe
"C:\Users\Admin\AppData\Local\Temp\4.0.exe" 0
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Users\Admin\AppData\Local\Temp\bilgi snake 2021.exe
"C:\Users\Admin\AppData\Local\Temp\bilgi snake 2021.exe" 0
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exe
"C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exe" 0
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
4⤵
PID:2236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4.0.exe
MD5
bd5fe63e3666a489e7a221647f6f3807

SHA1
52a8db03aa3db1b9a287688afeffa9f041c3811c

SHA256
5a46b373a0a0894870f5a63e52477dbe71e78efe35aa373c30d2edbdf3e35f9e

SHA512
631a0ce258d4ae4ab81ca69ff344eb8733e5507b4f88c27f8b7491bed8fe2362f944bbdff51abf3089c03a67149a102cce8989d985e60a9531b77a7f260b90e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.0.exe
MD5
bd5fe63e3666a489e7a221647f6f3807

SHA1
52a8db03aa3db1b9a287688afeffa9f041c3811c

SHA256
5a46b373a0a0894870f5a63e52477dbe71e78efe35aa373c30d2edbdf3e35f9e

SHA512
631a0ce258d4ae4ab81ca69ff344eb8733e5507b4f88c27f8b7491bed8fe2362f944bbdff51abf3089c03a67149a102cce8989d985e60a9531b77a7f260b90e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exe
MD5
f615aa95251fc14492843942a588614c

SHA1
296669e81c271762d5068f8a9ecbb354ffc335c9

SHA256
e0b3bd3f2fadd3ef560c7dc1c13e1f50351e8df61139eb8e6367badf7689e71b

SHA512
ad58e4b52132a0c186ff14040bf95cc1c8d65b307c90a6004e1d58e365c91635d998e3259cb5575c79aeb0aed08dd55a827edadfbef7f0ecfbc500dd9b42b6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exe
MD5
f615aa95251fc14492843942a588614c

SHA1
296669e81c271762d5068f8a9ecbb354ffc335c9

SHA256
e0b3bd3f2fadd3ef560c7dc1c13e1f50351e8df61139eb8e6367badf7689e71b

SHA512
ad58e4b52132a0c186ff14040bf95cc1c8d65b307c90a6004e1d58e365c91635d998e3259cb5575c79aeb0aed08dd55a827edadfbef7f0ecfbc500dd9b42b6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bilgi snake 2021.exe
MD5
e33e63bda6a3976ecadfa9ee6f096944

SHA1
68b683bb325ae9c21f471593f007c797a02dc497

SHA256
c2d3a6b20eb4bc377bf9be955b23615492786be0613373bfc7f440ab872a8142

SHA512
91b672e86e30804e7e632d79e78c99ac9a0ee7c8468ad9eecc555f15773bb535d430f0c39efa61d9afdec7bb3f05f97cd18126e6c16eb6b1036e131b8f256142

Download Submit
C:\Users\Admin\AppData\Local\Temp\bilgi snake 2021.exe
MD5
e33e63bda6a3976ecadfa9ee6f096944

SHA1
68b683bb325ae9c21f471593f007c797a02dc497

SHA256
c2d3a6b20eb4bc377bf9be955b23615492786be0613373bfc7f440ab872a8142

SHA512
91b672e86e30804e7e632d79e78c99ac9a0ee7c8468ad9eecc555f15773bb535d430f0c39efa61d9afdec7bb3f05f97cd18126e6c16eb6b1036e131b8f256142

Download Submit
memory/988-9-0x0000000006D60000-0x0000000006E7E000-memory.dmp

Filesize
1.1MB

Download
memory/988-7-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/988-11-0x0000000008CB0000-0x0000000008CB1000-memory.dmp

Filesize
4KB

Download
memory/988-12-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/988-2-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/988-61-0x00000000092E0000-0x00000000092E1000-memory.dmp

Filesize
4KB

Download
memory/988-60-0x0000000009320000-0x0000000009321000-memory.dmp

Filesize
4KB

Download
memory/988-15-0x0000000005473000-0x0000000005475000-memory.dmp

Filesize
8KB

Download
memory/988-8-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/988-10-0x0000000008BA0000-0x0000000008BA1000-memory.dmp

Filesize
4KB

Download
memory/988-6-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/988-3-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/988-5-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/988-23-0x0000000006EA0000-0x0000000006EAF000-memory.dmp

Filesize
60KB

Download
memory/1020-44-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1020-47-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1020-40-0x0000000000000000-mapping.dmp

Download
memory/1020-65-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/1060-36-0x0000000000000000-mapping.dmp

Download
memory/1060-62-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/1060-63-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/1060-49-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1060-39-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-67-0x0000000000000000-mapping.dmp

Download
memory/2736-24-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2736-25-0x000000000040104C-mapping.dmp

Download
memory/2980-31-0x0000000000000000-mapping.dmp

Download
memory/2980-41-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2980-76-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/2980-51-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2980-80-0x0000000005771000-0x0000000005772000-memory.dmp

Filesize
4KB

Download
memory/2980-35-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/3548-18-0x00000000076A0000-0x00000000076A1000-memory.dmp

Filesize
4KB

Download
memory/3548-53-0x00000000085E0000-0x00000000085E1000-memory.dmp

Filesize
4KB

Download
memory/3548-17-0x0000000007060000-0x0000000007061000-memory.dmp

Filesize
4KB

Download
memory/3548-32-0x00000000086F0000-0x00000000086F1000-memory.dmp

Filesize
4KB

Download
memory/3548-16-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/3548-14-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/3548-20-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

Filesize
4KB

Download
memory/3548-19-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/3548-13-0x0000000000000000-mapping.dmp

Download
memory/3548-21-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/3548-68-0x00000000096A0000-0x00000000096A1000-memory.dmp

Filesize
4KB

Download
memory/3548-69-0x0000000008910000-0x0000000008911000-memory.dmp

Filesize
4KB

Download
memory/3548-70-0x00000000093F0000-0x00000000093F1000-memory.dmp

Filesize
4KB

Download
memory/3548-72-0x0000000007063000-0x0000000007064000-memory.dmp

Filesize
4KB

Download
memory/3548-28-0x0000000007062000-0x0000000007063000-memory.dmp

Filesize
4KB

Download
memory/3548-30-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads