agenttesla | fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148

General

Target

fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe
Size

1016KB
MD5

2b0b84ef617c7ad106b45ff2e571513c
SHA1

f7622624c01c4ac2266bf35953ba862e2cc6cf7a
SHA256

fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148
SHA512

7ec805d403718f1b23a2fbf9979dc7c97d289c52b37acf3e5b2b25fe9474c3d0f23ce962edfd04887fa72cfd6df8498fc7430a1fa194f7ce6927ae6975607cfd

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
gibson.1990

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1304-125-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/1304-126-0x000000000043761E-mapping.dmp	family_agenttesla
behavioral2/memory/1304-131-0x00000000055C0000-0x0000000005ABE000-memory.dmp	family_agenttesla

Drops file in Drivers directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe

description	pid	process	target process
PID 3212 set thread context of 1304	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exeRegSvcs.exe

pid	process
3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe
3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe
3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe
3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe
3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe
3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe
3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe
3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe
1304	RegSvcs.exe
1304	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe
Token: SeDebugPrivilege	1304	RegSvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe

description	pid	process	target process
PID 3212 wrote to memory of 3748	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe
PID 3212 wrote to memory of 3748	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe
PID 3212 wrote to memory of 3748	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe
PID 3212 wrote to memory of 3120	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe
PID 3212 wrote to memory of 3120	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe
PID 3212 wrote to memory of 3120	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe
PID 3212 wrote to memory of 1304	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe
PID 3212 wrote to memory of 1304	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe
PID 3212 wrote to memory of 1304	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe
PID 3212 wrote to memory of 1304	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe
PID 3212 wrote to memory of 1304	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe
PID 3212 wrote to memory of 1304	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe
PID 3212 wrote to memory of 1304	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe
PID 3212 wrote to memory of 1304	3212	fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe
"C:\Users\Admin\AppData\Local\Temp\fbf730121ed0516a4726ded7dbcc1d0a7a43d11b4dc7b536992f59f9f394e148.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1304-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1304-133-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/1304-132-0x00000000061F0000-0x00000000061F1000-memory.dmp

Filesize
4KB

Download
memory/1304-131-0x00000000055C0000-0x0000000005ABE000-memory.dmp

Filesize
5.0MB

Download
memory/1304-126-0x000000000043761E-mapping.dmp

Download
memory/3212-121-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3212-114-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3212-122-0x000000000A800000-0x000000000A806000-memory.dmp

Filesize
24KB

Download
memory/3212-123-0x000000000B1C0000-0x000000000B245000-memory.dmp

Filesize
532KB

Download
memory/3212-124-0x0000000001060000-0x00000000010AC000-memory.dmp

Filesize
304KB

Download
memory/3212-120-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3212-119-0x000000000A660000-0x000000000A661000-memory.dmp

Filesize
4KB

Download
memory/3212-118-0x000000000A5C0000-0x000000000A5C1000-memory.dmp

Filesize
4KB

Download
memory/3212-117-0x000000000AA80000-0x000000000AA81000-memory.dmp

Filesize
4KB

Download
memory/3212-116-0x0000000005030000-0x00000000050C4000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads