agenttesla | f85de586c3a33df88ebb5493c0bbcbd18c9f732e201c4c1604f2b2779976434e

General

Target

GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
Size

1.2MB
MD5

e330461dfd3ff5099a0b05e06bc4bda9
SHA1

0faeb359703506fd0e0fa21ab3b23dda5ea868e6
SHA256

f85de586c3a33df88ebb5493c0bbcbd18c9f732e201c4c1604f2b2779976434e
SHA512

078bd784300123e45954db43d8d2ad941af2015856e533781303a60357f56d013cf9a3da1c023b38df81e0e186103bf98ed7f8edede42b35a6128e0b4a9381dc

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.themainreport.co.nz
Port:
587
Username:
[email protected]
Password:
-I;MGhTyL{AQ

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3200-138-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3200-139-0x000000000043783E-mapping.dmp	family_agenttesla
behavioral2/memory/3200-152-0x0000000005830000-0x0000000005D2E000-memory.dmp	family_agenttesla

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/516-122-0x0000000004520000-0x000000000452B000-memory.dmp	CustAttr

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

apwxc.exe

pid process

768 apwxc.exe

pid	process
768	apwxc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\FsYYqg = "C:\\Users\\Admin\\AppData\\Roaming\\FsYYqg\\FsYYqg.exe"	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe

description	pid	process	target process
PID 516 set thread context of 3200	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2160 schtasks.exe

pid	process
2160	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

GHAI SHIPMENT SCHEDULE 28TH-07-2021.exepowershell.exepowershell.exeGHAI SHIPMENT SCHEDULE 28TH-07-2021.exepowershell.exe

pid	process
516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
3708	powershell.exe
744	powershell.exe
3200	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
3200	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
2780	powershell.exe
744	powershell.exe
3708	powershell.exe
2780	powershell.exe
3708	powershell.exe
744	powershell.exe
2780	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exeGHAI SHIPMENT SCHEDULE 28TH-07-2021.exeGHAI SHIPMENT SCHEDULE 28TH-07-2021.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
Token: SeDebugPrivilege	3200	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
Token: SeDebugPrivilege	2780	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

GHAI SHIPMENT SCHEDULE 28TH-07-2021.exeGHAI SHIPMENT SCHEDULE 28TH-07-2021.exe

description	pid	process	target process
PID 516 wrote to memory of 3708	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 516 wrote to memory of 3708	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 516 wrote to memory of 3708	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 516 wrote to memory of 744	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 516 wrote to memory of 744	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 516 wrote to memory of 744	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 516 wrote to memory of 2160	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	schtasks.exe
PID 516 wrote to memory of 2160	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	schtasks.exe
PID 516 wrote to memory of 2160	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	schtasks.exe
PID 516 wrote to memory of 2780	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 516 wrote to memory of 2780	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 516 wrote to memory of 2780	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 516 wrote to memory of 3200	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 516 wrote to memory of 3200	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 516 wrote to memory of 3200	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 516 wrote to memory of 3200	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 516 wrote to memory of 3200	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 516 wrote to memory of 3200	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 516 wrote to memory of 3200	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 516 wrote to memory of 3200	516	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3200 wrote to memory of 768	3200	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	apwxc.exe
PID 3200 wrote to memory of 768	3200	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	apwxc.exe
PID 3200 wrote to memory of 768	3200	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	apwxc.exe

C:\Users\Admin\AppData\Local\Temp\GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
"C:\Users\Admin\AppData\Local\Temp\GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ayFJdzpy.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ayFJdzpy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1425.tmp"
2⤵
- Creates scheduled task(s)
PID:2160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ayFJdzpy.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Users\Admin\AppData\Local\Temp\GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
"C:\Users\Admin\AppData\Local\Temp\GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\apwxc.exe
"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"
3⤵
- Executes dropped EXE
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8ff71e43218860e2f80d102d27b5d8c1

SHA1
a7327e6f1738ba18960741c0e7fc0045ff9a1fb0

SHA256
8f11657e9e9e432ebc1b0dea83c620853e9cb274b5e958c41c3ed2d31790888a

SHA512
ebfcda0c13d0cee12dbee48bb8d6d834d17474bc22d300e2e3368b004052ece75530155d481d3e949c6743653917822507e81a46bfd0249e993e59ab3ca65ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3ceac69f77a810cce68cb8889f9deb5b

SHA1
e76e49d6d73b4431eaecf0d518e8396f3de91ca1

SHA256
a39350d45100096e075d3ba383fefe83cd0a1480155bc92c4231ba8b0a96a232

SHA512
d0398a6c62a37057d5bca106dfd6c3d4bfa719b40591d09eebcb253877d3c4cdcc6211c0b1ab5ad51981065acdf58c6b62ffc8ac4647fafd2304a8d2e00bc586

Download Submit
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
MD5
ddde6fc0ce346b0ab7bb0c8c02a09d33

SHA1
1067652f21fd05902288613746b5e2ea79bd07f9

SHA256
a375d88a6666e7101b4f582ea0239033e4716e883ecb301245011e9c58054a9c

SHA512
66a92b7f14371069d78876add097fb8f847755eff95edd846939566f0ce219b686f265c8a57dbe6e19e5f12145bfbfcccff09371413a758005d1aee7d8490c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
MD5
ddde6fc0ce346b0ab7bb0c8c02a09d33

SHA1
1067652f21fd05902288613746b5e2ea79bd07f9

SHA256
a375d88a6666e7101b4f582ea0239033e4716e883ecb301245011e9c58054a9c

SHA512
66a92b7f14371069d78876add097fb8f847755eff95edd846939566f0ce219b686f265c8a57dbe6e19e5f12145bfbfcccff09371413a758005d1aee7d8490c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1425.tmp
MD5
675566ed2cff7ac588436a51c2949fc5

SHA1
b373ec79fb87358b44ed5d5625dffd81f53d58cd

SHA256
fcba300bdd1304275c6940ea3402a12e5dcf7d41970536e04e6630a872f2b03a

SHA512
a9e020305b1489aab3df740ea2f5749a23c697e848436faf0cea79f7eb0395ad90d458eba411ece7d2d8b30cb5202394c88b81e5a4808dc337df14e964ee66fd

Download Submit
memory/516-119-0x0000000004A00000-0x0000000004A9C000-memory.dmp

Filesize
624KB

Download
memory/516-123-0x0000000005910000-0x0000000005988000-memory.dmp

Filesize
480KB

Download
memory/516-124-0x0000000005AD0000-0x0000000005B09000-memory.dmp

Filesize
228KB

Download
memory/516-122-0x0000000004520000-0x000000000452B000-memory.dmp

Filesize
44KB

Download
memory/516-121-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/516-120-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/516-114-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/516-118-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/516-117-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/516-116-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/744-153-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/744-201-0x000000007EC10000-0x000000007EC11000-memory.dmp

Filesize
4KB

Download
memory/744-129-0x0000000000000000-mapping.dmp

Download
memory/744-273-0x0000000004603000-0x0000000004604000-memory.dmp

Filesize
4KB

Download
memory/744-161-0x0000000007750000-0x0000000007751000-memory.dmp

Filesize
4KB

Download
memory/744-158-0x0000000004602000-0x0000000004603000-memory.dmp

Filesize
4KB

Download
memory/768-902-0x0000000004D10000-0x000000000520E000-memory.dmp

Filesize
5.0MB

Download
memory/768-892-0x0000000000000000-mapping.dmp

Download
memory/2160-130-0x0000000000000000-mapping.dmp

Download
memory/2780-154-0x0000000004E92000-0x0000000004E93000-memory.dmp

Filesize
4KB

Download
memory/2780-137-0x0000000000000000-mapping.dmp

Download
memory/2780-276-0x0000000004E93000-0x0000000004E94000-memory.dmp

Filesize
4KB

Download
memory/2780-170-0x0000000008C00000-0x0000000008C01000-memory.dmp

Filesize
4KB

Download
memory/2780-150-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/2780-206-0x000000007E430000-0x000000007E431000-memory.dmp

Filesize
4KB

Download
memory/3200-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3200-152-0x0000000005830000-0x0000000005D2E000-memory.dmp

Filesize
5.0MB

Download
memory/3200-139-0x000000000043783E-mapping.dmp

Download
memory/3708-173-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/3708-197-0x000000007EE30000-0x000000007EE31000-memory.dmp

Filesize
4KB

Download
memory/3708-198-0x0000000008BD0000-0x0000000008C03000-memory.dmp

Filesize
204KB

Download
memory/3708-167-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/3708-280-0x0000000000963000-0x0000000000964000-memory.dmp

Filesize
4KB

Download
memory/3708-159-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/3708-131-0x0000000006D60000-0x0000000006D61000-memory.dmp

Filesize
4KB

Download
memory/3708-156-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/3708-148-0x0000000000962000-0x0000000000963000-memory.dmp

Filesize
4KB

Download
memory/3708-145-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3708-128-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/3708-125-0x0000000000000000-mapping.dmp

Download
memory/3708-142-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads