agenttesla | d022b7b48419dbef83e9d084602cbb5b10566d193db01248a72be46251669a97

General

Target

AWD SHANGHAI SHIPMENT SCHEDULE.exe
Size

760KB
MD5

8bf9536b65dec39bbf0b8733e4ad2ac4
SHA1

d7a8458e48bc1abddddaabf8e3ac6d35ef4e2c7a
SHA256

d022b7b48419dbef83e9d084602cbb5b10566d193db01248a72be46251669a97
SHA512

00fd52c6d21871f584fe67a8042f65479b06d4505ab84fc344f4cebefaae4928fff8c57ef0842d87750971a21b0174c4065b09d231b077b3278bc5290d2e0cb8

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.themainreport.co.nz
Port:
587
Username:
[email protected]
Password:
-I;MGhTyL{AQ

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2100-142-0x000000000043783E-mapping.dmp	family_agenttesla
behavioral2/memory/2100-141-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/2208-121-0x0000000005EA0000-0x0000000005EAB000-memory.dmp	CustAttr

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

apwxc.exe

pid process

3212 apwxc.exe

pid	process
3212	apwxc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AWD SHANGHAI SHIPMENT SCHEDULE.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\FsYYqg = "C:\\Users\\Admin\\AppData\\Roaming\\FsYYqg\\FsYYqg.exe"	AWD SHANGHAI SHIPMENT SCHEDULE.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

AWD SHANGHAI SHIPMENT SCHEDULE.exe

description pid process target process

PID 2208 set thread context of 2100 2208 AWD SHANGHAI SHIPMENT SCHEDULE.exe AWD SHANGHAI SHIPMENT SCHEDULE.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4076 schtasks.exe

description	pid	process	target process
PID 2208 set thread context of 2100	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe

pid	process
4076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exeAWD SHANGHAI SHIPMENT SCHEDULE.exepowershell.exeAWD SHANGHAI SHIPMENT SCHEDULE.exepowershell.exe

pid	process
3496	powershell.exe
2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe
1256	powershell.exe
2100	AWD SHANGHAI SHIPMENT SCHEDULE.exe
2100	AWD SHANGHAI SHIPMENT SCHEDULE.exe
3496	powershell.exe
208	powershell.exe
1256	powershell.exe
208	powershell.exe
1256	powershell.exe
3496	powershell.exe
208	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exeAWD SHANGHAI SHIPMENT SCHEDULE.exeAWD SHANGHAI SHIPMENT SCHEDULE.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe
Token: SeDebugPrivilege	2100	AWD SHANGHAI SHIPMENT SCHEDULE.exe
Token: SeDebugPrivilege	208	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

AWD SHANGHAI SHIPMENT SCHEDULE.exeAWD SHANGHAI SHIPMENT SCHEDULE.exe

description	pid	process	target process
PID 2208 wrote to memory of 3496	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 2208 wrote to memory of 3496	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 2208 wrote to memory of 3496	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 2208 wrote to memory of 1256	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 2208 wrote to memory of 1256	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 2208 wrote to memory of 1256	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 2208 wrote to memory of 4076	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	schtasks.exe
PID 2208 wrote to memory of 4076	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	schtasks.exe
PID 2208 wrote to memory of 4076	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	schtasks.exe
PID 2208 wrote to memory of 208	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 2208 wrote to memory of 208	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 2208 wrote to memory of 208	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	powershell.exe
PID 2208 wrote to memory of 2100	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 2208 wrote to memory of 2100	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 2208 wrote to memory of 2100	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 2208 wrote to memory of 2100	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 2208 wrote to memory of 2100	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 2208 wrote to memory of 2100	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 2208 wrote to memory of 2100	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 2208 wrote to memory of 2100	2208	AWD SHANGHAI SHIPMENT SCHEDULE.exe	AWD SHANGHAI SHIPMENT SCHEDULE.exe
PID 2100 wrote to memory of 3212	2100	AWD SHANGHAI SHIPMENT SCHEDULE.exe	apwxc.exe
PID 2100 wrote to memory of 3212	2100	AWD SHANGHAI SHIPMENT SCHEDULE.exe	apwxc.exe
PID 2100 wrote to memory of 3212	2100	AWD SHANGHAI SHIPMENT SCHEDULE.exe	apwxc.exe

C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe
"C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CLBTGpuxewYAR.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CLBTGpuxewYAR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDAF4.tmp"
2⤵
- Creates scheduled task(s)
PID:4076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CLBTGpuxewYAR.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe
"C:\Users\Admin\AppData\Local\Temp\AWD SHANGHAI SHIPMENT SCHEDULE.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Temp\apwxc.exe
"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"
3⤵
- Executes dropped EXE
PID:3212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c28a24e6a60d6279482c2cefbad83033

SHA1
91897bb293450bf194b4886a8e21e8f72b723bb1

SHA256
88cf1b697d7fd11311d506fd1052a1da82574ea18dd73e465d2eabb3738c9adb

SHA512
11f604106142cf284a388e8d1fbb8cd57669e17e6bc5983829fbb68841a643fed764694f84b9cd817c28bf4b02d1a86950e9b98dc7d241eb4464d7318b61754b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6e7573deb2f3899f603f5c51b14754da

SHA1
4242d3407a8f7b280a4ec1a1ce1b7b0e5fcb9905

SHA256
16f666922817a5fffcdc5c5f0711a95d823b406922a54812c112d4627de18cfc

SHA512
04cf032a6bce9a08e44c07c87583a04cd331edab40e3ef4463ac94332542bd30f93eaf86f521d795d5fed9f298bcb311a098006002fbd53a951772df58335471

Download Submit
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
MD5
1a0478dca6c849c44cd2090bcadb27e8

SHA1
b2a41f874cf4ca7df084b193f421bd8628aac3e1

SHA256
50af8c3318472d06452bc8837783e8c29c467de7ad13ad5046b9b48b1838df91

SHA512
e85a45d8d217541e563a0f352e0d67657c4b44342b569aa09c6fd036bc45b1ce5f7f8267f7ea0415453ec54b33dacc5ac2ceb3e1210604544fb11352c40367ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
MD5
1a0478dca6c849c44cd2090bcadb27e8

SHA1
b2a41f874cf4ca7df084b193f421bd8628aac3e1

SHA256
50af8c3318472d06452bc8837783e8c29c467de7ad13ad5046b9b48b1838df91

SHA512
e85a45d8d217541e563a0f352e0d67657c4b44342b569aa09c6fd036bc45b1ce5f7f8267f7ea0415453ec54b33dacc5ac2ceb3e1210604544fb11352c40367ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDAF4.tmp
MD5
bc75781c671b4de4cddaacc1e930554f

SHA1
20801857681729f5be5a756debb55f9f7536ac37

SHA256
f474adb52a9a8aaec94cc663f1865b7d652b365360054062539ef39d1099fb88

SHA512
92270d31955d12ea4e67ab9f3bb2e0c9aea1b1df4312c377f1e0a7ce38e98a45bfbdb4da7cafbfc69caf429d6252fd2d42c10b4713d2b2725eff52cf60fe2963

Download Submit
memory/208-168-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/208-285-0x0000000000D13000-0x0000000000D14000-memory.dmp

Filesize
4KB

Download
memory/208-140-0x0000000000000000-mapping.dmp

Download
memory/208-232-0x000000007EC60000-0x000000007EC61000-memory.dmp

Filesize
4KB

Download
memory/208-169-0x0000000000D12000-0x0000000000D13000-memory.dmp

Filesize
4KB

Download
memory/1256-138-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/1256-125-0x0000000000000000-mapping.dmp

Download
memory/1256-139-0x0000000001132000-0x0000000001133000-memory.dmp

Filesize
4KB

Download
memory/1256-228-0x0000000001133000-0x0000000001134000-memory.dmp

Filesize
4KB

Download
memory/1256-229-0x000000007FA70000-0x000000007FA71000-memory.dmp

Filesize
4KB

Download
memory/2100-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2100-142-0x000000000043783E-mapping.dmp

Download
memory/2100-166-0x0000000005310000-0x000000000580E000-memory.dmp

Filesize
5.0MB

Download
memory/2208-121-0x0000000005EA0000-0x0000000005EAB000-memory.dmp

Filesize
44KB

Download
memory/2208-123-0x00000000092B0000-0x00000000092ED000-memory.dmp

Filesize
244KB

Download
memory/2208-122-0x00000000091D0000-0x0000000009252000-memory.dmp

Filesize
520KB

Download
memory/2208-120-0x00000000059B0000-0x0000000005EAE000-memory.dmp

Filesize
5.0MB

Download
memory/2208-119-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/2208-118-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/2208-114-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/2208-117-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/2208-116-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

Filesize
4KB

Download
memory/3212-895-0x0000000004A30000-0x0000000004F2E000-memory.dmp

Filesize
5.0MB

Download
memory/3212-886-0x0000000000000000-mapping.dmp

Download
memory/3496-129-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/3496-234-0x00000000012A3000-0x00000000012A4000-memory.dmp

Filesize
4KB

Download
memory/3496-190-0x0000000008D40000-0x0000000008D73000-memory.dmp

Filesize
204KB

Download
memory/3496-206-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download
memory/3496-218-0x0000000009110000-0x0000000009111000-memory.dmp

Filesize
4KB

Download
memory/3496-225-0x000000007F080000-0x000000007F081000-memory.dmp

Filesize
4KB

Download
memory/3496-164-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/3496-163-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/3496-155-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/3496-170-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/3496-150-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/3496-148-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/3496-143-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/3496-137-0x00000000012A2000-0x00000000012A3000-memory.dmp

Filesize
4KB

Download
memory/3496-136-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/3496-132-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/3496-124-0x0000000000000000-mapping.dmp

Download
memory/4076-126-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads