agenttesla | 1b77b2cbdb4bd38d7d9f6c1e5d5356ca5f7de8c74813d113b4a02c2b19be87f9

General

Target

Ord 2354 png.exe
Size

841KB
MD5

48af5cf24f8c7fc448ecbfd55d18f426
SHA1

e3cf38df72fda964da45323b60bc9bd88abbee15
SHA256

4e9cbaacb1aaed119e375ac6799f97162442f24a14785e2371b44c5e76125abb
SHA512

378572ffde0731fd3e27761be19741548b3d82d6208542c124f4db415380453d67cec00b297932e8f7a2a02c784c289a62fee1df859372da0eccabdd1ccb30f2

Score

10^/10

agenttesla evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.palletsolutions.ca
Port:
587
Username:
[email protected]
Password:
h~Q+QV.(M2?!

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2348-148-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2348-149-0x00000000004375EE-mapping.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ord 2354 png.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Ord 2354 png.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Ord 2354 png.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Ord 2354 png.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Ord 2354 png.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Ord 2354 png.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Ord 2354 png.exe

description pid process target process

PID 636 set thread context of 2348 636 Ord 2354 png.exe Ord 2354 png.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

772 schtasks.exe

description	pid	process	target process
PID 636 set thread context of 2348	636	Ord 2354 png.exe	Ord 2354 png.exe

pid	process
772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exeOrd 2354 png.exeOrd 2354 png.exepowershell.exe

pid	process
3240	powershell.exe
3872	powershell.exe
636	Ord 2354 png.exe
3872	powershell.exe
2348	Ord 2354 png.exe
2348	Ord 2354 png.exe
3240	powershell.exe
1008	powershell.exe
1008	powershell.exe
3240	powershell.exe
3872	powershell.exe
1008	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exeOrd 2354 png.exeOrd 2354 png.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	636	Ord 2354 png.exe
Token: SeDebugPrivilege	2348	Ord 2354 png.exe
Token: SeDebugPrivilege	1008	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Ord 2354 png.exe

description	pid	process	target process
PID 636 wrote to memory of 3240	636	Ord 2354 png.exe	powershell.exe
PID 636 wrote to memory of 3240	636	Ord 2354 png.exe	powershell.exe
PID 636 wrote to memory of 3240	636	Ord 2354 png.exe	powershell.exe
PID 636 wrote to memory of 3872	636	Ord 2354 png.exe	powershell.exe
PID 636 wrote to memory of 3872	636	Ord 2354 png.exe	powershell.exe
PID 636 wrote to memory of 3872	636	Ord 2354 png.exe	powershell.exe
PID 636 wrote to memory of 772	636	Ord 2354 png.exe	schtasks.exe
PID 636 wrote to memory of 772	636	Ord 2354 png.exe	schtasks.exe
PID 636 wrote to memory of 772	636	Ord 2354 png.exe	schtasks.exe
PID 636 wrote to memory of 1008	636	Ord 2354 png.exe	powershell.exe
PID 636 wrote to memory of 1008	636	Ord 2354 png.exe	powershell.exe
PID 636 wrote to memory of 1008	636	Ord 2354 png.exe	powershell.exe
PID 636 wrote to memory of 2348	636	Ord 2354 png.exe	Ord 2354 png.exe
PID 636 wrote to memory of 2348	636	Ord 2354 png.exe	Ord 2354 png.exe
PID 636 wrote to memory of 2348	636	Ord 2354 png.exe	Ord 2354 png.exe
PID 636 wrote to memory of 2348	636	Ord 2354 png.exe	Ord 2354 png.exe
PID 636 wrote to memory of 2348	636	Ord 2354 png.exe	Ord 2354 png.exe
PID 636 wrote to memory of 2348	636	Ord 2354 png.exe	Ord 2354 png.exe
PID 636 wrote to memory of 2348	636	Ord 2354 png.exe	Ord 2354 png.exe
PID 636 wrote to memory of 2348	636	Ord 2354 png.exe	Ord 2354 png.exe

C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe
"C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GIorvZ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GIorvZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB68F.tmp"
2⤵
- Creates scheduled task(s)
PID:772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GIorvZ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe
"C:\Users\Admin\AppData\Local\Temp\Ord 2354 png.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
72a93f922f5287b8d52c5d89b5ed0b9f

SHA1
83834728808e7f902c75c5a38dd0706cc0abf0f6

SHA256
0bdbb1293fd58e0a4f301806e9defd63980914bbad87a1fde9e9a9fd482af320

SHA512
a5ea5fd9fa269efa834bb3393972f3fb595654a1d18f38f3f6331fabaec55b71dce5534f0ca6dfb8bb8f5ec061854d62dc1a626f75e518c63453662064dc7bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
72a93f922f5287b8d52c5d89b5ed0b9f

SHA1
83834728808e7f902c75c5a38dd0706cc0abf0f6

SHA256
0bdbb1293fd58e0a4f301806e9defd63980914bbad87a1fde9e9a9fd482af320

SHA512
a5ea5fd9fa269efa834bb3393972f3fb595654a1d18f38f3f6331fabaec55b71dce5534f0ca6dfb8bb8f5ec061854d62dc1a626f75e518c63453662064dc7bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB68F.tmp
MD5
229f06558c9654b6b7862286d6368aae

SHA1
7ffda75358cd6a12b6f3f40e0c88f51ad82ece02

SHA256
d9e6c05af17d5b2d31062f1b4278490e7eb38950e22cae0558f81cd336fc156c

SHA512
bf6263b278dad1d8c00460ba68fa67df444245c8b1eada77696b2765624ae2d2a965c69d0a79c68fdbe6c76aa008e537016dbbc3b2df1961dbe5268a6e83c7e8

Download Submit
memory/636-121-0x0000000005690000-0x00000000056AB000-memory.dmp

Filesize
108KB

Download
memory/636-117-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/636-123-0x0000000000F70000-0x0000000000FAD000-memory.dmp

Filesize
244KB

Download
memory/636-116-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/636-125-0x0000000008AC0000-0x0000000008AC1000-memory.dmp

Filesize
4KB

Download
memory/636-114-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/636-120-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/636-119-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/636-118-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/636-122-0x0000000001490000-0x0000000001512000-memory.dmp

Filesize
520KB

Download
memory/772-133-0x0000000000000000-mapping.dmp

Download
memory/1008-263-0x0000000007243000-0x0000000007244000-memory.dmp

Filesize
4KB

Download
memory/1008-237-0x000000007E570000-0x000000007E571000-memory.dmp

Filesize
4KB

Download
memory/1008-198-0x00000000098A0000-0x00000000098D3000-memory.dmp

Filesize
204KB

Download
memory/1008-147-0x0000000000000000-mapping.dmp

Download
memory/1008-165-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/1008-166-0x0000000007242000-0x0000000007243000-memory.dmp

Filesize
4KB

Download
memory/2348-163-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/2348-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2348-149-0x00000000004375EE-mapping.dmp

Download
memory/3240-128-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3240-138-0x0000000007B30000-0x0000000007B31000-memory.dmp

Filesize
4KB

Download
memory/3240-124-0x0000000000000000-mapping.dmp

Download
memory/3240-129-0x0000000007C80000-0x0000000007C81000-memory.dmp

Filesize
4KB

Download
memory/3240-131-0x0000000007642000-0x0000000007643000-memory.dmp

Filesize
4KB

Download
memory/3240-130-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/3240-267-0x0000000007643000-0x0000000007644000-memory.dmp

Filesize
4KB

Download
memory/3240-233-0x000000007E720000-0x000000007E721000-memory.dmp

Filesize
4KB

Download
memory/3240-139-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/3872-238-0x000000007F240000-0x000000007F241000-memory.dmp

Filesize
4KB

Download
memory/3872-259-0x00000000011A3000-0x00000000011A4000-memory.dmp

Filesize
4KB

Download
memory/3872-160-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/3872-145-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/3872-132-0x0000000000000000-mapping.dmp

Download
memory/3872-173-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/3872-169-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/3872-167-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/3872-162-0x00000000011A2000-0x00000000011A3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads