agenttesla | 3f0fa5c8ebb2640afc948bfd5c8bb0ba644222b3bc15c095085d718843d59915

General

Target

Q88_Bulk Carrier.exe
Size

525KB
MD5

2fe4b829f1cfa6c3183a1e0391309eb0
SHA1

14c56282c5a43cd9b33f5f90eaaf6953526e9b75
SHA256

3f0fa5c8ebb2640afc948bfd5c8bb0ba644222b3bc15c095085d718843d59915
SHA512

2dc7fe45124b72e65a5f89aea0a54e8f630b061635c5375c3a504b93d0136a51ac8e42906eb0806930a1445629d63cb0e33c14b53cc17b95c4cb6cf5ae9f4920

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.hyshippingcn.com
Port:
587
Username:
plogs112@hyshippingcn.com
Password:
e*u@qkS4

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4584-20-0x000000000043763E-mapping.dmp	family_agenttesla
behavioral2/memory/4584-19-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Nirsoft 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid process

3176 AdvancedRun.exe
4192 AdvancedRun.exe
3288 AdvancedRun.exe
3372 AdvancedRun.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.ipify.org
17 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Q88_Bulk Carrier.exe

description pid process target process

PID 4764 set thread context of 4584 4764 Q88_Bulk Carrier.exe Q88_Bulk Carrier.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
16	api.ipify.org
17	api.ipify.org

description	pid	process	target process
PID 4764 set thread context of 4584	4764	Q88_Bulk Carrier.exe	Q88_Bulk Carrier.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeQ88_Bulk Carrier.exeQ88_Bulk Carrier.exe

pid	process
3176	AdvancedRun.exe
3176	AdvancedRun.exe
3176	AdvancedRun.exe
3176	AdvancedRun.exe
4192	AdvancedRun.exe
4192	AdvancedRun.exe
4192	AdvancedRun.exe
4192	AdvancedRun.exe
3288	AdvancedRun.exe
3288	AdvancedRun.exe
3288	AdvancedRun.exe
3288	AdvancedRun.exe
3372	AdvancedRun.exe
3372	AdvancedRun.exe
3372	AdvancedRun.exe
3372	AdvancedRun.exe
4764	Q88_Bulk Carrier.exe
4764	Q88_Bulk Carrier.exe
4584	Q88_Bulk Carrier.exe
4584	Q88_Bulk Carrier.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeQ88_Bulk Carrier.exeQ88_Bulk Carrier.exe

description	pid	process
Token: SeDebugPrivilege	3176	AdvancedRun.exe
Token: SeImpersonatePrivilege	3176	AdvancedRun.exe
Token: SeDebugPrivilege	4192	AdvancedRun.exe
Token: SeImpersonatePrivilege	4192	AdvancedRun.exe
Token: SeDebugPrivilege	3288	AdvancedRun.exe
Token: SeImpersonatePrivilege	3288	AdvancedRun.exe
Token: SeDebugPrivilege	3372	AdvancedRun.exe
Token: SeImpersonatePrivilege	3372	AdvancedRun.exe
Token: SeDebugPrivilege	4764	Q88_Bulk Carrier.exe
Token: SeDebugPrivilege	4584	Q88_Bulk Carrier.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Q88_Bulk Carrier.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process	target process
PID 4764 wrote to memory of 3176	4764	Q88_Bulk Carrier.exe	AdvancedRun.exe
PID 4764 wrote to memory of 3176	4764	Q88_Bulk Carrier.exe	AdvancedRun.exe
PID 4764 wrote to memory of 3176	4764	Q88_Bulk Carrier.exe	AdvancedRun.exe
PID 3176 wrote to memory of 4192	3176	AdvancedRun.exe	AdvancedRun.exe
PID 3176 wrote to memory of 4192	3176	AdvancedRun.exe	AdvancedRun.exe
PID 3176 wrote to memory of 4192	3176	AdvancedRun.exe	AdvancedRun.exe
PID 4764 wrote to memory of 3288	4764	Q88_Bulk Carrier.exe	AdvancedRun.exe
PID 4764 wrote to memory of 3288	4764	Q88_Bulk Carrier.exe	AdvancedRun.exe
PID 4764 wrote to memory of 3288	4764	Q88_Bulk Carrier.exe	AdvancedRun.exe
PID 3288 wrote to memory of 3372	3288	AdvancedRun.exe	AdvancedRun.exe
PID 3288 wrote to memory of 3372	3288	AdvancedRun.exe	AdvancedRun.exe
PID 3288 wrote to memory of 3372	3288	AdvancedRun.exe	AdvancedRun.exe
PID 4764 wrote to memory of 4584	4764	Q88_Bulk Carrier.exe	Q88_Bulk Carrier.exe
PID 4764 wrote to memory of 4584	4764	Q88_Bulk Carrier.exe	Q88_Bulk Carrier.exe
PID 4764 wrote to memory of 4584	4764	Q88_Bulk Carrier.exe	Q88_Bulk Carrier.exe
PID 4764 wrote to memory of 4584	4764	Q88_Bulk Carrier.exe	Q88_Bulk Carrier.exe
PID 4764 wrote to memory of 4584	4764	Q88_Bulk Carrier.exe	Q88_Bulk Carrier.exe
PID 4764 wrote to memory of 4584	4764	Q88_Bulk Carrier.exe	Q88_Bulk Carrier.exe
PID 4764 wrote to memory of 4584	4764	Q88_Bulk Carrier.exe	Q88_Bulk Carrier.exe
PID 4764 wrote to memory of 4584	4764	Q88_Bulk Carrier.exe	Q88_Bulk Carrier.exe

C:\Users\Admin\AppData\Local\Temp\Q88_Bulk Carrier.exe
"C:\Users\Admin\AppData\Local\Temp\Q88_Bulk Carrier.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3176
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3288
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Users\Admin\AppData\Local\Temp\Q88_Bulk Carrier.exe
"C:\Users\Admin\AppData\Local\Temp\Q88_Bulk Carrier.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Q88_Bulk Carrier.exe.log
MD5
4f9330dcb7e8730af9341cfdf0d8030f

SHA1
67daaf17560b15fe1d861139bce85a3ff6dbed23

SHA256
1c25f424605d0e3ccf1ec077c36b3d2c89aa628521d10df851c2ff7689ad4617

SHA512
e3becfad18409be0797d172e8b1364775726f9d33d8f125c87656a829b0c0c86fcec433db4446371e68530c0d7cb594fdcf28bb75e1f5d4fba64fe38329d9a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/3176-9-0x0000000000000000-mapping.dmp

Download
memory/3288-15-0x0000000000000000-mapping.dmp

Download
memory/3372-17-0x0000000000000000-mapping.dmp

Download
memory/4192-13-0x0000000000000000-mapping.dmp

Download
memory/4584-22-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/4584-32-0x0000000005781000-0x0000000005782000-memory.dmp

Filesize
4KB

Download
memory/4584-31-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download
memory/4584-30-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/4584-28-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/4584-27-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/4584-20-0x000000000043763E-mapping.dmp

Download
memory/4584-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4584-26-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/4764-7-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/4764-3-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/4764-5-0x0000000002CA0000-0x0000000002CA2000-memory.dmp

Filesize
8KB

Download
memory/4764-6-0x00000000053D0000-0x0000000005423000-memory.dmp

Filesize
332KB

Download
memory/4764-2-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/4764-8-0x0000000005E00000-0x0000000005E01000-memory.dmp

Filesize
4KB

Download
memory/4764-11-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads