agenttesla | f85de586c3a33df88ebb5493c0bbcbd18c9f732e201c4c1604f2b2779976434e

General

Target

GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
Size

1.2MB
MD5

e330461dfd3ff5099a0b05e06bc4bda9
SHA1

0faeb359703506fd0e0fa21ab3b23dda5ea868e6
SHA256

f85de586c3a33df88ebb5493c0bbcbd18c9f732e201c4c1604f2b2779976434e
SHA512

078bd784300123e45954db43d8d2ad941af2015856e533781303a60357f56d013cf9a3da1c023b38df81e0e186103bf98ed7f8edede42b35a6128e0b4a9381dc

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.themainreport.co.nz
Port:
587
Username:
[email protected]
Password:
-I;MGhTyL{AQ

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3132-142-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3132-144-0x000000000043783E-mapping.dmp	family_agenttesla

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/3008-122-0x00000000059D0000-0x00000000059DB000-memory.dmp	CustAttr

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

apwxc.exe

pid process

588 apwxc.exe

pid	process
588	apwxc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\FsYYqg = "C:\\Users\\Admin\\AppData\\Roaming\\FsYYqg\\FsYYqg.exe"	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe

description	pid	process	target process
PID 3008 set thread context of 3132	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2052 schtasks.exe

pid	process
2052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

GHAI SHIPMENT SCHEDULE 28TH-07-2021.exepowershell.exepowershell.exepowershell.exeGHAI SHIPMENT SCHEDULE 28TH-07-2021.exe

pid	process
3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
2100	powershell.exe
3828	powershell.exe
2440	powershell.exe
3132	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
3132	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
2100	powershell.exe
3828	powershell.exe
2440	powershell.exe
2440	powershell.exe
3828	powershell.exe
2100	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

GHAI SHIPMENT SCHEDULE 28TH-07-2021.exepowershell.exepowershell.exepowershell.exeGHAI SHIPMENT SCHEDULE 28TH-07-2021.exe

description	pid	process
Token: SeDebugPrivilege	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	3132	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

GHAI SHIPMENT SCHEDULE 28TH-07-2021.exeGHAI SHIPMENT SCHEDULE 28TH-07-2021.exe

description	pid	process	target process
PID 3008 wrote to memory of 2100	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 3008 wrote to memory of 2100	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 3008 wrote to memory of 2100	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 3008 wrote to memory of 3828	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 3008 wrote to memory of 3828	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 3008 wrote to memory of 3828	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 3008 wrote to memory of 2052	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	schtasks.exe
PID 3008 wrote to memory of 2052	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	schtasks.exe
PID 3008 wrote to memory of 2052	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	schtasks.exe
PID 3008 wrote to memory of 2440	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 3008 wrote to memory of 2440	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 3008 wrote to memory of 2440	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	powershell.exe
PID 3008 wrote to memory of 2768	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3008 wrote to memory of 2768	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3008 wrote to memory of 2768	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3008 wrote to memory of 2136	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3008 wrote to memory of 2136	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3008 wrote to memory of 2136	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3008 wrote to memory of 3132	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3008 wrote to memory of 3132	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3008 wrote to memory of 3132	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3008 wrote to memory of 3132	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3008 wrote to memory of 3132	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3008 wrote to memory of 3132	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3008 wrote to memory of 3132	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3008 wrote to memory of 3132	3008	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
PID 3132 wrote to memory of 588	3132	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	apwxc.exe
PID 3132 wrote to memory of 588	3132	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	apwxc.exe
PID 3132 wrote to memory of 588	3132	GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe	apwxc.exe

C:\Users\Admin\AppData\Local\Temp\GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
"C:\Users\Admin\AppData\Local\Temp\GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ayFJdzpy.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ayFJdzpy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAEE.tmp"
2⤵
- Creates scheduled task(s)
PID:2052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ayFJdzpy.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Users\Admin\AppData\Local\Temp\GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
"C:\Users\Admin\AppData\Local\Temp\GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe"
2⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
"C:\Users\Admin\AppData\Local\Temp\GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe"
2⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe
"C:\Users\Admin\AppData\Local\Temp\GHAI SHIPMENT SCHEDULE 28TH-07-2021.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132

C:\Users\Admin\AppData\Local\Temp\apwxc.exe
"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"
3⤵
- Executes dropped EXE
PID:588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
252e0f23afd71c51597b930d9ffd1cce

SHA1
48622bd82109d161ed4fac36b32b6372b4863740

SHA256
e09e979b0ac9df3e2fad6c244e2fba225bbab17205ea29823f6b36ed1f3ecbf9

SHA512
1b1d4a2a9b6aeb97089be9ab011120540a90eaf6dd9c01f2152baddc29016439c775af4976b8ed76b1564dd9bbba850f9550284d05d446ffc09e3ff9c61c5649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
252e0f23afd71c51597b930d9ffd1cce

SHA1
48622bd82109d161ed4fac36b32b6372b4863740

SHA256
e09e979b0ac9df3e2fad6c244e2fba225bbab17205ea29823f6b36ed1f3ecbf9

SHA512
1b1d4a2a9b6aeb97089be9ab011120540a90eaf6dd9c01f2152baddc29016439c775af4976b8ed76b1564dd9bbba850f9550284d05d446ffc09e3ff9c61c5649

Download Submit
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
MD5
ddde6fc0ce346b0ab7bb0c8c02a09d33

SHA1
1067652f21fd05902288613746b5e2ea79bd07f9

SHA256
a375d88a6666e7101b4f582ea0239033e4716e883ecb301245011e9c58054a9c

SHA512
66a92b7f14371069d78876add097fb8f847755eff95edd846939566f0ce219b686f265c8a57dbe6e19e5f12145bfbfcccff09371413a758005d1aee7d8490c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
MD5
ddde6fc0ce346b0ab7bb0c8c02a09d33

SHA1
1067652f21fd05902288613746b5e2ea79bd07f9

SHA256
a375d88a6666e7101b4f582ea0239033e4716e883ecb301245011e9c58054a9c

SHA512
66a92b7f14371069d78876add097fb8f847755eff95edd846939566f0ce219b686f265c8a57dbe6e19e5f12145bfbfcccff09371413a758005d1aee7d8490c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEE.tmp
MD5
675566ed2cff7ac588436a51c2949fc5

SHA1
b373ec79fb87358b44ed5d5625dffd81f53d58cd

SHA256
fcba300bdd1304275c6940ea3402a12e5dcf7d41970536e04e6630a872f2b03a

SHA512
a9e020305b1489aab3df740ea2f5749a23c697e848436faf0cea79f7eb0395ad90d458eba411ece7d2d8b30cb5202394c88b81e5a4808dc337df14e964ee66fd

Download Submit
memory/588-886-0x0000000000000000-mapping.dmp

Download
memory/588-896-0x0000000005990000-0x0000000005E8E000-memory.dmp

Filesize
5.0MB

Download
memory/2052-129-0x0000000000000000-mapping.dmp

Download
memory/2100-158-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/2100-243-0x0000000006563000-0x0000000006564000-memory.dmp

Filesize
4KB

Download
memory/2100-208-0x000000007E8B0000-0x000000007E8B1000-memory.dmp

Filesize
4KB

Download
memory/2100-125-0x0000000000000000-mapping.dmp

Download
memory/2100-130-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/2100-132-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/2100-136-0x0000000006562000-0x0000000006563000-memory.dmp

Filesize
4KB

Download
memory/2100-134-0x0000000006560000-0x0000000006561000-memory.dmp

Filesize
4KB

Download
memory/2440-162-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/2440-165-0x0000000006E42000-0x0000000006E43000-memory.dmp

Filesize
4KB

Download
memory/2440-211-0x000000007F8C0000-0x000000007F8C1000-memory.dmp

Filesize
4KB

Download
memory/2440-141-0x0000000000000000-mapping.dmp

Download
memory/2440-244-0x0000000006E43000-0x0000000006E44000-memory.dmp

Filesize
4KB

Download
memory/2440-198-0x0000000009290000-0x00000000092C3000-memory.dmp

Filesize
204KB

Download
memory/2440-152-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/2440-155-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/2440-173-0x0000000008540000-0x0000000008541000-memory.dmp

Filesize
4KB

Download
memory/2440-161-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/3008-114-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3008-119-0x0000000005990000-0x0000000005E8E000-memory.dmp

Filesize
5.0MB

Download
memory/3008-120-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/3008-118-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/3008-117-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/3008-121-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/3008-124-0x0000000006850000-0x0000000006889000-memory.dmp

Filesize
228KB

Download
memory/3008-116-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/3008-122-0x00000000059D0000-0x00000000059DB000-memory.dmp

Filesize
44KB

Download
memory/3008-123-0x00000000067D0000-0x0000000006848000-memory.dmp

Filesize
480KB

Download
memory/3132-144-0x000000000043783E-mapping.dmp

Download
memory/3132-166-0x00000000050A0000-0x000000000559E000-memory.dmp

Filesize
5.0MB

Download
memory/3132-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3828-242-0x0000000006F93000-0x0000000006F94000-memory.dmp

Filesize
4KB

Download
memory/3828-215-0x000000007EE10000-0x000000007EE11000-memory.dmp

Filesize
4KB

Download
memory/3828-170-0x0000000008630000-0x0000000008631000-memory.dmp

Filesize
4KB

Download
memory/3828-167-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/3828-138-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/3828-137-0x0000000006F92000-0x0000000006F93000-memory.dmp

Filesize
4KB

Download
memory/3828-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads