agenttesla | bf12c7cd5b7991644a86d6ab104040e6f51581d275a3f9e7f9b60e9931a204e8

General

Target

RFQ#-Airbus AS365-EC155.exe
Size

850KB
MD5

59b10a4ae08a82cceaf918848c40a8f5
SHA1

acf4e109eba29bc8ad37a4db9337ac9a30f74e68
SHA256

bf12c7cd5b7991644a86d6ab104040e6f51581d275a3f9e7f9b60e9931a204e8
SHA512

3540ee55be7e74d803c7095882e98e44af5bdd4eec6690bb6476e3d7e0495afe4d19e5352823d57a7915c43b7b6fce44f3af38b7918d1f8993a357d4d712e151

Score

10^/10

agenttesla agilenet keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.sempreviva.pet
Port:
587
Username:
dataoffice1@sempreviva.pet
Password:
ACYPFpe9

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2136-128-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2136-129-0x000000000043759E-mapping.dmp	family_agenttesla
behavioral2/memory/2136-136-0x0000000004D80000-0x000000000527E000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

Processes:

InstallUtil.exe

pid process

2136 InstallUtil.exe

pid	process
2136	InstallUtil.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/3628-122-0x00000000062F0000-0x0000000006311000-memory.dmp	agile_net
behavioral2/memory/3628-125-0x0000000004B10000-0x000000000500E000-memory.dmp	agile_net

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qXLPL = "C:\\Users\\Admin\\AppData\\Roaming\\qXLPL\\qXLPL.exe"	InstallUtil.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ#-Airbus AS365-EC155.exe

description pid process target process

PID 3628 set thread context of 2136 3628 RFQ#-Airbus AS365-EC155.exe InstallUtil.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

RFQ#-Airbus AS365-EC155.exeInstallUtil.exe

pid process

3628 RFQ#-Airbus AS365-EC155.exe
3628 RFQ#-Airbus AS365-EC155.exe
2136 InstallUtil.exe
2136 InstallUtil.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ#-Airbus AS365-EC155.exeInstallUtil.exe

description pid process

Token: SeDebugPrivilege 3628 RFQ#-Airbus AS365-EC155.exe
Token: SeDebugPrivilege 2136 InstallUtil.exe

description	pid	process	target process
PID 3628 set thread context of 2136	3628	RFQ#-Airbus AS365-EC155.exe	InstallUtil.exe

pid	process
3628	RFQ#-Airbus AS365-EC155.exe
3628	RFQ#-Airbus AS365-EC155.exe
2136	InstallUtil.exe
2136	InstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	3628	RFQ#-Airbus AS365-EC155.exe
Token: SeDebugPrivilege	2136	InstallUtil.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

RFQ#-Airbus AS365-EC155.exe

description	pid	process	target process
PID 3628 wrote to memory of 2136	3628	RFQ#-Airbus AS365-EC155.exe	InstallUtil.exe
PID 3628 wrote to memory of 2136	3628	RFQ#-Airbus AS365-EC155.exe	InstallUtil.exe
PID 3628 wrote to memory of 2136	3628	RFQ#-Airbus AS365-EC155.exe	InstallUtil.exe
PID 3628 wrote to memory of 2136	3628	RFQ#-Airbus AS365-EC155.exe	InstallUtil.exe
PID 3628 wrote to memory of 2136	3628	RFQ#-Airbus AS365-EC155.exe	InstallUtil.exe
PID 3628 wrote to memory of 2136	3628	RFQ#-Airbus AS365-EC155.exe	InstallUtil.exe
PID 3628 wrote to memory of 2136	3628	RFQ#-Airbus AS365-EC155.exe	InstallUtil.exe
PID 3628 wrote to memory of 2136	3628	RFQ#-Airbus AS365-EC155.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\RFQ#-Airbus AS365-EC155.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ#-Airbus AS365-EC155.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
memory/2136-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2136-140-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2136-137-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/2136-136-0x0000000004D80000-0x000000000527E000-memory.dmp

Filesize
5.0MB

Download
memory/2136-129-0x000000000043759E-mapping.dmp

Download
memory/3628-119-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/3628-124-0x0000000006370000-0x0000000006371000-memory.dmp

Filesize
4KB

Download
memory/3628-125-0x0000000004B10000-0x000000000500E000-memory.dmp

Filesize
5.0MB

Download
memory/3628-126-0x0000000006270000-0x000000000627B000-memory.dmp

Filesize
44KB

Download
memory/3628-127-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/3628-123-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/3628-122-0x00000000062F0000-0x0000000006311000-memory.dmp

Filesize
132KB

Download
memory/3628-120-0x0000000004B10000-0x000000000500E000-memory.dmp

Filesize
5.0MB

Download
memory/3628-114-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3628-118-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/3628-117-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/3628-116-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads