agenttesla | e9573722d616d444c71e82f1ac6973921f3c942af4403760e0292b3ebf9159b0

General

Target

Outstanding invoices.exe
Size

528KB
MD5

95df4d14a28e363ce70d5d7962427c24
SHA1

ffcdfb4eb40d64eb13e50ee13c0ae9a73a9ee8ee
SHA256

e9573722d616d444c71e82f1ac6973921f3c942af4403760e0292b3ebf9159b0
SHA512

983c7bb6d01ac1729c86fc994ebbb9bb40b1dd1bd27b2ff96d8a32a3b1b547d1fb2fd3e2f24d2b8b5cedb1e10dbb666a6ced71b8d89c94595ed3b46cc8df16e6

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.babcockvalve.com
Port:
587
Username:
ziara.landa@babcockvalve.com
Password:
hA$ks@%9

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2140-19-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2140-20-0x00000000004375FE-mapping.dmp	family_agenttesla

Nirsoft 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid process

3140 AdvancedRun.exe
4004 AdvancedRun.exe
2836 AdvancedRun.exe
940 AdvancedRun.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

Outstanding invoices.exe

description pid process target process

PID 744 set thread context of 2140 744 Outstanding invoices.exe Outstanding invoices.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 744 set thread context of 2140	744	Outstanding invoices.exe	Outstanding invoices.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeOutstanding invoices.exeOutstanding invoices.exe

pid	process
3140	AdvancedRun.exe
3140	AdvancedRun.exe
3140	AdvancedRun.exe
3140	AdvancedRun.exe
4004	AdvancedRun.exe
4004	AdvancedRun.exe
4004	AdvancedRun.exe
4004	AdvancedRun.exe
2836	AdvancedRun.exe
2836	AdvancedRun.exe
2836	AdvancedRun.exe
2836	AdvancedRun.exe
940	AdvancedRun.exe
940	AdvancedRun.exe
940	AdvancedRun.exe
940	AdvancedRun.exe
744	Outstanding invoices.exe
744	Outstanding invoices.exe
2140	Outstanding invoices.exe
2140	Outstanding invoices.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeOutstanding invoices.exeOutstanding invoices.exe

description	pid	process
Token: SeDebugPrivilege	3140	AdvancedRun.exe
Token: SeImpersonatePrivilege	3140	AdvancedRun.exe
Token: SeDebugPrivilege	4004	AdvancedRun.exe
Token: SeImpersonatePrivilege	4004	AdvancedRun.exe
Token: SeDebugPrivilege	2836	AdvancedRun.exe
Token: SeImpersonatePrivilege	2836	AdvancedRun.exe
Token: SeDebugPrivilege	940	AdvancedRun.exe
Token: SeImpersonatePrivilege	940	AdvancedRun.exe
Token: SeDebugPrivilege	744	Outstanding invoices.exe
Token: SeDebugPrivilege	2140	Outstanding invoices.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Outstanding invoices.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process	target process
PID 744 wrote to memory of 3140	744	Outstanding invoices.exe	AdvancedRun.exe
PID 744 wrote to memory of 3140	744	Outstanding invoices.exe	AdvancedRun.exe
PID 744 wrote to memory of 3140	744	Outstanding invoices.exe	AdvancedRun.exe
PID 3140 wrote to memory of 4004	3140	AdvancedRun.exe	AdvancedRun.exe
PID 3140 wrote to memory of 4004	3140	AdvancedRun.exe	AdvancedRun.exe
PID 3140 wrote to memory of 4004	3140	AdvancedRun.exe	AdvancedRun.exe
PID 744 wrote to memory of 2836	744	Outstanding invoices.exe	AdvancedRun.exe
PID 744 wrote to memory of 2836	744	Outstanding invoices.exe	AdvancedRun.exe
PID 744 wrote to memory of 2836	744	Outstanding invoices.exe	AdvancedRun.exe
PID 2836 wrote to memory of 940	2836	AdvancedRun.exe	AdvancedRun.exe
PID 2836 wrote to memory of 940	2836	AdvancedRun.exe	AdvancedRun.exe
PID 2836 wrote to memory of 940	2836	AdvancedRun.exe	AdvancedRun.exe
PID 744 wrote to memory of 2140	744	Outstanding invoices.exe	Outstanding invoices.exe
PID 744 wrote to memory of 2140	744	Outstanding invoices.exe	Outstanding invoices.exe
PID 744 wrote to memory of 2140	744	Outstanding invoices.exe	Outstanding invoices.exe
PID 744 wrote to memory of 2140	744	Outstanding invoices.exe	Outstanding invoices.exe
PID 744 wrote to memory of 2140	744	Outstanding invoices.exe	Outstanding invoices.exe
PID 744 wrote to memory of 2140	744	Outstanding invoices.exe	Outstanding invoices.exe
PID 744 wrote to memory of 2140	744	Outstanding invoices.exe	Outstanding invoices.exe
PID 744 wrote to memory of 2140	744	Outstanding invoices.exe	Outstanding invoices.exe

C:\Users\Admin\AppData\Local\Temp\Outstanding invoices.exe
"C:\Users\Admin\AppData\Local\Temp\Outstanding invoices.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3140
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2836
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Users\Admin\AppData\Local\Temp\Outstanding invoices.exe
"C:\Users\Admin\AppData\Local\Temp\Outstanding invoices.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Outstanding invoices.exe.log
MD5
4f9330dcb7e8730af9341cfdf0d8030f

SHA1
67daaf17560b15fe1d861139bce85a3ff6dbed23

SHA256
1c25f424605d0e3ccf1ec077c36b3d2c89aa628521d10df851c2ff7689ad4617

SHA512
e3becfad18409be0797d172e8b1364775726f9d33d8f125c87656a829b0c0c86fcec433db4446371e68530c0d7cb594fdcf28bb75e1f5d4fba64fe38329d9a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/744-8-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/744-11-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/744-3-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/744-5-0x00000000018F0000-0x00000000018F2000-memory.dmp

Filesize
8KB

Download
memory/744-7-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/744-2-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/744-6-0x0000000005870000-0x00000000058C4000-memory.dmp

Filesize
336KB

Download
memory/940-17-0x0000000000000000-mapping.dmp

Download
memory/2140-30-0x0000000006550000-0x0000000006551000-memory.dmp

Filesize
4KB

Download
memory/2140-31-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

Filesize
4KB

Download
memory/2140-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-20-0x00000000004375FE-mapping.dmp

Download
memory/2140-28-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2140-22-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/2140-26-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/2140-27-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/2836-15-0x0000000000000000-mapping.dmp

Download
memory/3140-9-0x0000000000000000-mapping.dmp

Download
memory/4004-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads