agenttesla | 33ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f

General

Target

3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
Size

718KB
MD5

3ba367bb53bc5ad7c0e8d7f5a9d33532
SHA1

974c0e32a4480927f27daec1f65ce9bf23ff0e0a
SHA256

33ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f
SHA512

c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.tractorandinas.com/
Port:
21
Username:
admin@tractorandinas.com
Password:
~P*xO7vPBc-o

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/1484-73-0x0000000002030000-0x000000000207D000-memory.dmp	net_reactor
behavioral1/memory/1484-77-0x0000000002170000-0x00000000021BC000-memory.dmp	net_reactor

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1484-73-0x0000000002030000-0x000000000207D000-memory.dmp	family_agenttesla
behavioral1/memory/1484-77-0x0000000002170000-0x00000000021BC000-memory.dmp	family_agenttesla

Drops file in Drivers directory 1 IoCs

Processes:

3ba367bb53bc5ad7c0e8d7f5a9d33532.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
Executes dropped EXE 2 IoCs

Processes:

Netplwiz.exeNetplwiz.exe

pid process

1556 Netplwiz.exe
924 Netplwiz.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe

pid	process
1556	Netplwiz.exe
924	Netplwiz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3ba367bb53bc5ad7c0e8d7f5a9d33532.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vaijia = "C:\\Users\\Public\\aijiaV.url"	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3ba367bb53bc5ad7c0e8d7f5a9d33532.exe

description pid process target process

PID 756 set thread context of 1484 756 3ba367bb53bc5ad7c0e8d7f5a9d33532.exe 3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3ba367bb53bc5ad7c0e8d7f5a9d33532.exe

pid process

1484 3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
1484 3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3ba367bb53bc5ad7c0e8d7f5a9d33532.exe

description pid process

Token: SeDebugPrivilege 1484 3ba367bb53bc5ad7c0e8d7f5a9d33532.exe

description	pid	process	target process
PID 756 set thread context of 1484	756	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe

pid	process
1484	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
1484	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe

description	pid	process
Token: SeDebugPrivilege	1484	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

3ba367bb53bc5ad7c0e8d7f5a9d33532.execmd.exe

description	pid	process	target process
PID 756 wrote to memory of 1484	756	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
PID 756 wrote to memory of 1484	756	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
PID 756 wrote to memory of 1484	756	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
PID 756 wrote to memory of 1484	756	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
PID 756 wrote to memory of 1484	756	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
PID 756 wrote to memory of 1484	756	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
PID 756 wrote to memory of 1008	756	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe	cmd.exe
PID 756 wrote to memory of 1008	756	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe	cmd.exe
PID 756 wrote to memory of 1008	756	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe	cmd.exe
PID 756 wrote to memory of 1008	756	3ba367bb53bc5ad7c0e8d7f5a9d33532.exe	cmd.exe
PID 1008 wrote to memory of 616	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 616	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 616	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 616	1008	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
"C:\Users\Admin\AppData\Local\Temp\3ba367bb53bc5ad7c0e8d7f5a9d33532.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
C:\Users\Admin\AppData\Local\Temp\3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\stt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
3⤵
PID:616

C:\Windows \System32\Netplwiz.exe
"C:\Windows \System32\Netplwiz.exe"
4⤵
- Executes dropped EXE
PID:1556

C:\Windows \System32\Netplwiz.exe
"C:\Windows \System32\Netplwiz.exe"
4⤵
- Executes dropped EXE
PID:924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\NETUTILS.dll
MD5
39507d772c63ca496a25a14a8b5d14b2

SHA1
5b603f5c11eb9ab4313694315b4d4894ff4641d4

SHA256
36d1fa474cd8271f9b74b9481025614b6ff309f767f69d9f1ff3960c7205ad12

SHA512
0c740fd7b6d67d9938b0d8e1ea7d6c41910dd6d0b85b4ec8b6015ff8c0c73798dee01f01da0b5b0c07038663aca7945faca0e2b5afc1cb751aaba7567d332f5f

Download Submit
C:\Users\Public\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Users\Public\PXOR.bat
MD5
0d8aef656413642f55e0902cc5df5e6f

SHA1
73ec56d08bd9b3c45d55c97bd1c1286b77c8ff49

SHA256
670f94b92f45bc2f3f44a80c7f3021f874aa16fde38ed7d7f3ebed13ae09fa11

SHA512
efe690b1bcf06e16be469622b45c98b5dc1f1e06410cbf7e7dccb2975524c4d6bc7e23de9a129d50d73cd924f02e23f925555894f2c7da1064dcc57151f50876

Download Submit
C:\Users\Public\stt.bat
MD5
8a850253c31df9a7e1c00c80df2630d5

SHA1
e3da74081b027a3b591488b28da22742bcfe8495

SHA256
8fdeba3ec903bde700342083d16f72452366aa0b1b30d0e58dee0af74cebfa35

SHA512
30510bdc34680a0865a0811d9be29dec91c74717feccd58c9b4d88e77be9e5d13a539806a1b2901aff595b2fe2cc45926b69ed42e899d2dd2913c78a732e84d1

Download Submit
C:\Windows \System32\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Windows \System32\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
memory/616-70-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/616-72-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/616-65-0x0000000000000000-mapping.dmp

Download
memory/756-59-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1008-62-0x0000000000000000-mapping.dmp

Download
memory/1484-64-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1484-61-0x000000000040CD2F-mapping.dmp

Download
memory/1484-60-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1484-73-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/1484-75-0x0000000004852000-0x0000000004853000-memory.dmp

Filesize
4KB

Download
memory/1484-74-0x0000000004851000-0x0000000004852000-memory.dmp

Filesize
4KB

Download
memory/1484-76-0x0000000004853000-0x0000000004854000-memory.dmp

Filesize
4KB

Download
memory/1484-77-0x0000000002170000-0x00000000021BC000-memory.dmp

Filesize
304KB

Download
memory/1484-78-0x0000000004854000-0x0000000004856000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads