agenttesla | 756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b

General

Target

756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
Size

537KB
MD5

fa548af33ac073be63464186b33198aa
SHA1

6a49f366a9e962fca0f33d4fbd9a7bab9b076306
SHA256

756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b
SHA512

47378048c422c793cffb091c782739ae34fd39788820c73c49215a6e859768c9e89d0e73f7aa7284ad5f6254add180d57c95b2a8a0b72b5f60524663eac7b962

Score

10^/10

agenttesla coreentity evasion keylogger rezer0 spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.tolipgoldenplaza.com
Port:
587
Username:
[email protected]
Password:
Golden@#$2019

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/1996-63-0x00000000003A0000-0x00000000003A2000-memory.dmp	coreentity

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1636-67-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1636-68-0x000000000044C97E-mapping.dmp	family_agenttesla
behavioral1/memory/1636-69-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1996-64-0x0000000001F40000-0x0000000001F93000-memory.dmp	rezer0

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

Processes:

756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe

description	pid	process	target process
PID 1996 set thread context of 1636	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1524 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

756 REG.exe

pid	process
1524	schtasks.exe

pid	process
756	REG.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe

pid	process
1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
1636	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
1636	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe

description	pid	process
Token: SeDebugPrivilege	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
Token: SeDebugPrivilege	1636	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe

description	pid	process	target process
PID 1996 wrote to memory of 1524	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	schtasks.exe
PID 1996 wrote to memory of 1524	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	schtasks.exe
PID 1996 wrote to memory of 1524	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	schtasks.exe
PID 1996 wrote to memory of 1524	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	schtasks.exe
PID 1996 wrote to memory of 1616	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
PID 1996 wrote to memory of 1616	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
PID 1996 wrote to memory of 1616	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
PID 1996 wrote to memory of 1616	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
PID 1996 wrote to memory of 1636	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
PID 1996 wrote to memory of 1636	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
PID 1996 wrote to memory of 1636	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
PID 1996 wrote to memory of 1636	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
PID 1996 wrote to memory of 1636	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
PID 1996 wrote to memory of 1636	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
PID 1996 wrote to memory of 1636	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
PID 1996 wrote to memory of 1636	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
PID 1996 wrote to memory of 1636	1996	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
PID 1636 wrote to memory of 756	1636	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	REG.exe
PID 1636 wrote to memory of 756	1636	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	REG.exe
PID 1636 wrote to memory of 756	1636	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	REG.exe
PID 1636 wrote to memory of 756	1636	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	REG.exe
PID 1636 wrote to memory of 1468	1636	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	netsh.exe
PID 1636 wrote to memory of 1468	1636	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	netsh.exe
PID 1636 wrote to memory of 1468	1636	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	netsh.exe
PID 1636 wrote to memory of 1468	1636	756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
"C:\Users\Admin\AppData\Local\Temp\756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IFaysgfEOJsfZd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA89E.tmp"
2⤵
- Creates scheduled task(s)
PID:1524

C:\Users\Admin\AppData\Local\Temp\756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
"{path}"
2⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\756feeaec24bcada5d473a53931ac665c2a159083f408d41e7fe1c8fcb0b9a6b.exe
"{path}"
2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:756

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:1468

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA89E.tmp
MD5
9dcd09e8af00561fa2121d1a22d0c6c7

SHA1
b5c197f88d8e4c5cbc0efad9b05806f81d472a2c

SHA256
cea1e10aee38ef58ae86e01466ae9a6f438c4e3a71c6dd28532f778a314ce52d

SHA512
6b7e5990195be5382fb5381304c5651c14cff4f21acc0184adb92b9a99e5b19ea7cc9a1ca3c13f755f573042c0821732df9521cb8aaaa275b5e10293090588eb

Download Submit
memory/756-73-0x0000000000000000-mapping.dmp

Download
memory/1468-74-0x0000000000000000-mapping.dmp

Download
memory/1524-65-0x0000000000000000-mapping.dmp

Download
memory/1636-71-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1636-67-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1636-68-0x000000000044C97E-mapping.dmp

Download
memory/1636-69-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1636-72-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/1636-76-0x0000000004DE1000-0x0000000004DE2000-memory.dmp

Filesize
4KB

Download
memory/1996-64-0x0000000001F40000-0x0000000001F93000-memory.dmp

Filesize
332KB

Download
memory/1996-60-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1996-63-0x00000000003A0000-0x00000000003A2000-memory.dmp

Filesize
8KB

Download
memory/1996-62-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads