agenttesla | ebf9b72c2f7cf094032172e2f318cd41f385e4bb46cb123b3e3138561f8b20a3

General

Target

Order.exe
Size

698KB
MD5

59aec19eabb5c948f48f949405bf4c66
SHA1

86b55319d7d08bfaedeaec425a809d03b2f40079
SHA256

ebf9b72c2f7cf094032172e2f318cd41f385e4bb46cb123b3e3138561f8b20a3
SHA512

74ff7b142d6c27cd534e03364323184ad1097d398fe0f237a945d534db0b7b3dc53db9cf3b97e47d675c0c8430ba0bb66ed10866afdd80e9d51cfd1c34c71856

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.vivaldi.net
Port:
587
Username:
smithcargo22@vivaldi.net
Password:
invoice12345

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2500-141-0x000000000043764E-mapping.dmp	family_agenttesla
behavioral2/memory/2500-139-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Drops file in Drivers directory 1 IoCs

Processes:

Order.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Order.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Order.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Order.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe"	Order.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Order.exe

description pid process target process

PID 3912 set thread context of 2500 3912 Order.exe Order.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1808 schtasks.exe

description	pid	process	target process
PID 3912 set thread context of 2500	3912	Order.exe	Order.exe

pid	process
1808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exeOrder.exeOrder.exepowershell.exe

pid	process
2132	powershell.exe
1320	powershell.exe
3912	Order.exe
2500	Order.exe
2500	Order.exe
760	powershell.exe
2132	powershell.exe
1320	powershell.exe
760	powershell.exe
2132	powershell.exe
1320	powershell.exe
760	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exeOrder.exeOrder.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	3912	Order.exe
Token: SeDebugPrivilege	2500	Order.exe
Token: SeDebugPrivilege	760	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Order.exe

description	pid	process	target process
PID 3912 wrote to memory of 2132	3912	Order.exe	powershell.exe
PID 3912 wrote to memory of 2132	3912	Order.exe	powershell.exe
PID 3912 wrote to memory of 2132	3912	Order.exe	powershell.exe
PID 3912 wrote to memory of 1320	3912	Order.exe	powershell.exe
PID 3912 wrote to memory of 1320	3912	Order.exe	powershell.exe
PID 3912 wrote to memory of 1320	3912	Order.exe	powershell.exe
PID 3912 wrote to memory of 1808	3912	Order.exe	schtasks.exe
PID 3912 wrote to memory of 1808	3912	Order.exe	schtasks.exe
PID 3912 wrote to memory of 1808	3912	Order.exe	schtasks.exe
PID 3912 wrote to memory of 760	3912	Order.exe	powershell.exe
PID 3912 wrote to memory of 760	3912	Order.exe	powershell.exe
PID 3912 wrote to memory of 760	3912	Order.exe	powershell.exe
PID 3912 wrote to memory of 2500	3912	Order.exe	Order.exe
PID 3912 wrote to memory of 2500	3912	Order.exe	Order.exe
PID 3912 wrote to memory of 2500	3912	Order.exe	Order.exe
PID 3912 wrote to memory of 2500	3912	Order.exe	Order.exe
PID 3912 wrote to memory of 2500	3912	Order.exe	Order.exe
PID 3912 wrote to memory of 2500	3912	Order.exe	Order.exe
PID 3912 wrote to memory of 2500	3912	Order.exe	Order.exe
PID 3912 wrote to memory of 2500	3912	Order.exe	Order.exe

C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gxdpXGvbVz.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gxdpXGvbVz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC0EF.tmp"
2⤵
- Creates scheduled task(s)
PID:1808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gxdpXGvbVz.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4cd086d4a1a696e22aecac9e7e0fc171

SHA1
da7d8b6043f7dc3228d8f7392578e089ad4cf5a9

SHA256
f0cf0cfabe28d0b44985bb3936e3d6a88f08118b53b59789ea6194823d6c8787

SHA512
2c1c401797a7d5cfd3c7a4e57418aa29043afafa16ca6b588d399961bd13339b7e8d55c37a822c1799d3a7bbd6b228c00faf10fad55b205c0efc97c431c9a1f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a37a78fc01ef26823c7ce1b2a6e1d51e

SHA1
4257cfccfa0f930d8d5bc64643eea9717474a09c

SHA256
aa175182f3b85cd0d96144dbc2181c815db9b89c21715b79ea1e018f75ea27a3

SHA512
456d8a3f661fe9ed30df7d70e1a11058aa708399f3e407229cc3f6bd24f16698a6d90831a6b53ad3a6342dce8fddfa00bcc4622b030d749d4d2e7cde93abffa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC0EF.tmp
MD5
fd8d1d66b649cbb587dc77fd5ebc8206

SHA1
5627d3dc6649c4dc0c4961b586ccf49ae78f8aeb

SHA256
173007fb1c8aebb53b6adb23c50566023897d24972d6b29a42eed6b972a1a783

SHA512
6011fd333178feebe653f308d8cfa8bd7f3b6552ed241ebc3b74839428e750878b5f421767edfe007b1549464bb706e6b724d1268007dd00e354732dcbd93c7b

Download Submit
memory/760-165-0x00000000071A2000-0x00000000071A3000-memory.dmp

Filesize
4KB

Download
memory/760-137-0x0000000000000000-mapping.dmp

Download
memory/760-197-0x00000000071A3000-0x00000000071A4000-memory.dmp

Filesize
4KB

Download
memory/760-196-0x000000007F190000-0x000000007F191000-memory.dmp

Filesize
4KB

Download
memory/760-163-0x00000000071A0000-0x00000000071A1000-memory.dmp

Filesize
4KB

Download
memory/1320-195-0x0000000004D13000-0x0000000004D14000-memory.dmp

Filesize
4KB

Download
memory/1320-124-0x0000000000000000-mapping.dmp

Download
memory/1320-189-0x0000000009820000-0x0000000009853000-memory.dmp

Filesize
204KB

Download
memory/1320-161-0x0000000004D12000-0x0000000004D13000-memory.dmp

Filesize
4KB

Download
memory/1320-160-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1320-192-0x000000007DFC0000-0x000000007DFC1000-memory.dmp

Filesize
4KB

Download
memory/1808-125-0x0000000000000000-mapping.dmp

Download
memory/2132-142-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download
memory/2132-167-0x00000000085E0000-0x00000000085E1000-memory.dmp

Filesize
4KB

Download
memory/2132-194-0x0000000006DF3000-0x0000000006DF4000-memory.dmp

Filesize
4KB

Download
memory/2132-193-0x000000007E7C0000-0x000000007E7C1000-memory.dmp

Filesize
4KB

Download
memory/2132-123-0x0000000000000000-mapping.dmp

Download
memory/2132-144-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/2132-147-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/2132-131-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/2132-132-0x0000000006DF2000-0x0000000006DF3000-memory.dmp

Filesize
4KB

Download
memory/2132-169-0x00000000083E0000-0x00000000083E1000-memory.dmp

Filesize
4KB

Download
memory/2132-129-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/2132-164-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/2132-128-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/2132-138-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/2500-162-0x0000000004FC0000-0x00000000054BE000-memory.dmp

Filesize
5.0MB

Download
memory/2500-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2500-141-0x000000000043764E-mapping.dmp

Download
memory/3912-114-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/3912-122-0x0000000007D80000-0x0000000007DF0000-memory.dmp

Filesize
448KB

Download
memory/3912-121-0x0000000005300000-0x00000000053A4000-memory.dmp

Filesize
656KB

Download
memory/3912-120-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/3912-119-0x0000000004AB0000-0x0000000004ABE000-memory.dmp

Filesize
56KB

Download
memory/3912-118-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/3912-117-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/3912-116-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads