agenttesla | 38328233c3257c33f13ed27c11ac0ce699433901e4cfdc5c5eb78fb823e85c7a

General

Target

Delivery Order.gz.exe
Size

947KB
MD5

f74303c9d68e259794bff9aa16accc6c
SHA1

86278bc1da358e23bc309f1f0856bb5dcaa4498c
SHA256

38328233c3257c33f13ed27c11ac0ce699433901e4cfdc5c5eb78fb823e85c7a
SHA512

965bd616cf68a9374efc9b91b66978c00961aaa4476274bbc0abf8ee930852c1a9ec327102343fbf70f428024d9790d62e2bcc98e4b8ead6277753c1d49bca4d

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.omfoods.in
Port:
587
Username:
[email protected]
Password:
Om@food11D

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3236-15-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3236-16-0x00000000004377FE-mapping.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Delivery Order.gz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Delivery Order.gz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Delivery Order.gz.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Delivery Order.gz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\nAhOJe = "C:\\Users\\Admin\\AppData\\Roaming\\nAhOJe\\nAhOJe.exe"	Delivery Order.gz.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Delivery Order.gz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Delivery Order.gz.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Delivery Order.gz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Delivery Order.gz.exe

description pid process target process

PID 4048 set thread context of 3236 4048 Delivery Order.gz.exe Delivery Order.gz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1332 schtasks.exe

description	pid	process	target process
PID 4048 set thread context of 3236	4048	Delivery Order.gz.exe	Delivery Order.gz.exe

pid	process
1332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Delivery Order.gz.exeDelivery Order.gz.exe

pid	process
4048	Delivery Order.gz.exe
4048	Delivery Order.gz.exe
4048	Delivery Order.gz.exe
4048	Delivery Order.gz.exe
4048	Delivery Order.gz.exe
3236	Delivery Order.gz.exe
3236	Delivery Order.gz.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Delivery Order.gz.exeDelivery Order.gz.exe

description pid process

Token: SeDebugPrivilege 4048 Delivery Order.gz.exe
Token: SeDebugPrivilege 3236 Delivery Order.gz.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Delivery Order.gz.exe

pid process

3236 Delivery Order.gz.exe

description	pid	process
Token: SeDebugPrivilege	4048	Delivery Order.gz.exe
Token: SeDebugPrivilege	3236	Delivery Order.gz.exe

pid	process
3236	Delivery Order.gz.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Delivery Order.gz.exe

description	pid	process	target process
PID 4048 wrote to memory of 1332	4048	Delivery Order.gz.exe	schtasks.exe
PID 4048 wrote to memory of 1332	4048	Delivery Order.gz.exe	schtasks.exe
PID 4048 wrote to memory of 1332	4048	Delivery Order.gz.exe	schtasks.exe
PID 4048 wrote to memory of 2876	4048	Delivery Order.gz.exe	Delivery Order.gz.exe
PID 4048 wrote to memory of 2876	4048	Delivery Order.gz.exe	Delivery Order.gz.exe
PID 4048 wrote to memory of 2876	4048	Delivery Order.gz.exe	Delivery Order.gz.exe
PID 4048 wrote to memory of 3132	4048	Delivery Order.gz.exe	Delivery Order.gz.exe
PID 4048 wrote to memory of 3132	4048	Delivery Order.gz.exe	Delivery Order.gz.exe
PID 4048 wrote to memory of 3132	4048	Delivery Order.gz.exe	Delivery Order.gz.exe
PID 4048 wrote to memory of 3236	4048	Delivery Order.gz.exe	Delivery Order.gz.exe
PID 4048 wrote to memory of 3236	4048	Delivery Order.gz.exe	Delivery Order.gz.exe
PID 4048 wrote to memory of 3236	4048	Delivery Order.gz.exe	Delivery Order.gz.exe
PID 4048 wrote to memory of 3236	4048	Delivery Order.gz.exe	Delivery Order.gz.exe
PID 4048 wrote to memory of 3236	4048	Delivery Order.gz.exe	Delivery Order.gz.exe
PID 4048 wrote to memory of 3236	4048	Delivery Order.gz.exe	Delivery Order.gz.exe
PID 4048 wrote to memory of 3236	4048	Delivery Order.gz.exe	Delivery Order.gz.exe
PID 4048 wrote to memory of 3236	4048	Delivery Order.gz.exe	Delivery Order.gz.exe

C:\Users\Admin\AppData\Local\Temp\Delivery Order.gz.exe
"C:\Users\Admin\AppData\Local\Temp\Delivery Order.gz.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DQuHmmSWD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDAB6.tmp"
2⤵
- Creates scheduled task(s)
PID:1332

C:\Users\Admin\AppData\Local\Temp\Delivery Order.gz.exe
"{path}"
2⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\Delivery Order.gz.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3236

C:\Users\Admin\AppData\Local\Temp\Delivery Order.gz.exe
"{path}"
2⤵
PID:3132

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Delivery Order.gz.exe.log
MD5
ca0f5a97e99b64cce46421d178db03d0

SHA1
dc14bbb3304f311a8970fd16d7fd45b11fa9075f

SHA256
335bca3539bd41893cecddf8d4f5a6bf10b276687267e46fc1801a73e1170866

SHA512
db07fd19802353811e1c0da40233e8fe10abdbb7904beb69fe44106fe2822d98b571f5cf6e8c3a8e61dcca1b10048c5e102de478da47301b4f75fe6dcf434900

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDAB6.tmp
MD5
f85c88c776736ee084685c7b86686a3c

SHA1
4d7ff66954a365e8cd0eec04ffc0467f088d1f01

SHA256
cfa50ad40b9c8f0d456eb6200772203c2ab3f5fd8efc6a30797b933e1a4bf0a3

SHA512
3028021b7fd3fa2deeaf01e8dd3d3ad3232350d7e0c88848452d64231a1463968583a3f91b0b7ef13d6bc01c12959b16139dbae2fcf3e44650a65620655d8b43

Download Submit
memory/1332-13-0x0000000000000000-mapping.dmp

Download
memory/3236-24-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/3236-23-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/3236-18-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/3236-16-0x00000000004377FE-mapping.dmp

Download
memory/3236-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4048-7-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/4048-12-0x0000000009BF0000-0x0000000009BF1000-memory.dmp

Filesize
4KB

Download
memory/4048-11-0x0000000009C60000-0x0000000009C61000-memory.dmp

Filesize
4KB

Download
memory/4048-10-0x0000000009650000-0x00000000096AE000-memory.dmp

Filesize
376KB

Download
memory/4048-9-0x0000000007CC0000-0x0000000007CC4000-memory.dmp

Filesize
16KB

Download
memory/4048-8-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/4048-2-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/4048-6-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/4048-5-0x0000000007D30000-0x0000000007D31000-memory.dmp

Filesize
4KB

Download
memory/4048-3-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads