agenttesla | 79ff327848f9254764561866a5b26ed55aa24453aea69b1f42dbcad5ac140b00

General

Target

Operational Instructions BSC BBC.pdf.exe
Size

1.1MB
MD5

636ca0dbbfd6a5c2915781a46d5db5e0
SHA1

16a0e21f57cc447b8024999bbd67553c2ffb5e6e
SHA256

79ff327848f9254764561866a5b26ed55aa24453aea69b1f42dbcad5ac140b00
SHA512

fac6d0431ed20e56b7ae7d98342fe58bcc215bbccb5cd39c76585b95827c0216ce84e85c55e0055c16c8b901d6a6ceaf75780ea253daf3fd74f07d9840bbc086

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.boydsteamships.com
Port:
587
Username:
csanchez@boydsteamships.com
Password:
co*tNjEBt4

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3480-158-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3480-159-0x0000000000436ABE-mapping.dmp	family_agenttesla

Nirsoft 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid process

3976 AdvancedRun.exe
3544 AdvancedRun.exe
3816 AdvancedRun.exe
3004 AdvancedRun.exe

pid	process
3976	AdvancedRun.exe
3544	AdvancedRun.exe
3816	AdvancedRun.exe
3004	AdvancedRun.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Operational Instructions BSC BBC.pdf.exe

description	pid	process	target process
PID 4060 set thread context of 3480	4060	Operational Instructions BSC BBC.pdf.exe	Operational Instructions BSC BBC.pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeOperational Instructions BSC BBC.pdf.exeOperational Instructions BSC BBC.pdf.exe

pid	process
3272	powershell.exe
3272	powershell.exe
3272	powershell.exe
3976	AdvancedRun.exe
3976	AdvancedRun.exe
3976	AdvancedRun.exe
3976	AdvancedRun.exe
3544	AdvancedRun.exe
3544	AdvancedRun.exe
3544	AdvancedRun.exe
3544	AdvancedRun.exe
3816	AdvancedRun.exe
3816	AdvancedRun.exe
3816	AdvancedRun.exe
3816	AdvancedRun.exe
3004	AdvancedRun.exe
3004	AdvancedRun.exe
3004	AdvancedRun.exe
3004	AdvancedRun.exe
4060	Operational Instructions BSC BBC.pdf.exe
4060	Operational Instructions BSC BBC.pdf.exe
4060	Operational Instructions BSC BBC.pdf.exe
4060	Operational Instructions BSC BBC.pdf.exe
4060	Operational Instructions BSC BBC.pdf.exe
4060	Operational Instructions BSC BBC.pdf.exe
3480	Operational Instructions BSC BBC.pdf.exe
3480	Operational Instructions BSC BBC.pdf.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Operational Instructions BSC BBC.pdf.exepowershell.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeOperational Instructions BSC BBC.pdf.exe

description	pid	process
Token: SeDebugPrivilege	4060	Operational Instructions BSC BBC.pdf.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	3976	AdvancedRun.exe
Token: SeImpersonatePrivilege	3976	AdvancedRun.exe
Token: SeDebugPrivilege	3544	AdvancedRun.exe
Token: SeImpersonatePrivilege	3544	AdvancedRun.exe
Token: SeDebugPrivilege	3816	AdvancedRun.exe
Token: SeImpersonatePrivilege	3816	AdvancedRun.exe
Token: SeDebugPrivilege	3004	AdvancedRun.exe
Token: SeImpersonatePrivilege	3004	AdvancedRun.exe
Token: SeDebugPrivilege	3480	Operational Instructions BSC BBC.pdf.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Operational Instructions BSC BBC.pdf.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process	target process
PID 4060 wrote to memory of 3272	4060	Operational Instructions BSC BBC.pdf.exe	powershell.exe
PID 4060 wrote to memory of 3272	4060	Operational Instructions BSC BBC.pdf.exe	powershell.exe
PID 4060 wrote to memory of 3272	4060	Operational Instructions BSC BBC.pdf.exe	powershell.exe
PID 4060 wrote to memory of 3976	4060	Operational Instructions BSC BBC.pdf.exe	AdvancedRun.exe
PID 4060 wrote to memory of 3976	4060	Operational Instructions BSC BBC.pdf.exe	AdvancedRun.exe
PID 4060 wrote to memory of 3976	4060	Operational Instructions BSC BBC.pdf.exe	AdvancedRun.exe
PID 3976 wrote to memory of 3544	3976	AdvancedRun.exe	AdvancedRun.exe
PID 3976 wrote to memory of 3544	3976	AdvancedRun.exe	AdvancedRun.exe
PID 3976 wrote to memory of 3544	3976	AdvancedRun.exe	AdvancedRun.exe
PID 4060 wrote to memory of 3816	4060	Operational Instructions BSC BBC.pdf.exe	AdvancedRun.exe
PID 4060 wrote to memory of 3816	4060	Operational Instructions BSC BBC.pdf.exe	AdvancedRun.exe
PID 4060 wrote to memory of 3816	4060	Operational Instructions BSC BBC.pdf.exe	AdvancedRun.exe
PID 3816 wrote to memory of 3004	3816	AdvancedRun.exe	AdvancedRun.exe
PID 3816 wrote to memory of 3004	3816	AdvancedRun.exe	AdvancedRun.exe
PID 3816 wrote to memory of 3004	3816	AdvancedRun.exe	AdvancedRun.exe
PID 4060 wrote to memory of 3912	4060	Operational Instructions BSC BBC.pdf.exe	Operational Instructions BSC BBC.pdf.exe
PID 4060 wrote to memory of 3912	4060	Operational Instructions BSC BBC.pdf.exe	Operational Instructions BSC BBC.pdf.exe
PID 4060 wrote to memory of 3912	4060	Operational Instructions BSC BBC.pdf.exe	Operational Instructions BSC BBC.pdf.exe
PID 4060 wrote to memory of 3480	4060	Operational Instructions BSC BBC.pdf.exe	Operational Instructions BSC BBC.pdf.exe
PID 4060 wrote to memory of 3480	4060	Operational Instructions BSC BBC.pdf.exe	Operational Instructions BSC BBC.pdf.exe
PID 4060 wrote to memory of 3480	4060	Operational Instructions BSC BBC.pdf.exe	Operational Instructions BSC BBC.pdf.exe
PID 4060 wrote to memory of 3480	4060	Operational Instructions BSC BBC.pdf.exe	Operational Instructions BSC BBC.pdf.exe
PID 4060 wrote to memory of 3480	4060	Operational Instructions BSC BBC.pdf.exe	Operational Instructions BSC BBC.pdf.exe
PID 4060 wrote to memory of 3480	4060	Operational Instructions BSC BBC.pdf.exe	Operational Instructions BSC BBC.pdf.exe
PID 4060 wrote to memory of 3480	4060	Operational Instructions BSC BBC.pdf.exe	Operational Instructions BSC BBC.pdf.exe
PID 4060 wrote to memory of 3480	4060	Operational Instructions BSC BBC.pdf.exe	Operational Instructions BSC BBC.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Operational Instructions BSC BBC.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Operational Instructions BSC BBC.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 20
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3976
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3816
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Users\Admin\AppData\Local\Temp\Operational Instructions BSC BBC.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Operational Instructions BSC BBC.pdf.exe"
2⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\Operational Instructions BSC BBC.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Operational Instructions BSC BBC.pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Operational Instructions BSC BBC.pdf.exe.log
MD5
9e7845217df4a635ec4341c3d52ed685

SHA1
d65cb39d37392975b038ce503a585adadb805da5

SHA256
d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

SHA512
307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/3004-156-0x0000000000000000-mapping.dmp

Download
memory/3272-127-0x0000000000D02000-0x0000000000D03000-memory.dmp

Filesize
4KB

Download
memory/3272-139-0x0000000009370000-0x0000000009371000-memory.dmp

Filesize
4KB

Download
memory/3272-121-0x0000000000000000-mapping.dmp

Download
memory/3272-126-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3272-128-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/3272-129-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

Filesize
4KB

Download
memory/3272-130-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/3272-131-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/3272-132-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/3272-133-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/3272-134-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

Filesize
4KB

Download
memory/3272-124-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/3272-140-0x0000000008910000-0x0000000008911000-memory.dmp

Filesize
4KB

Download
memory/3272-125-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/3272-147-0x0000000000D03000-0x0000000000D04000-memory.dmp

Filesize
4KB

Download
memory/3480-165-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/3480-158-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3480-166-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/3480-164-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/3480-159-0x0000000000436ABE-mapping.dmp

Download
memory/3544-152-0x0000000000000000-mapping.dmp

Download
memory/3816-154-0x0000000000000000-mapping.dmp

Download
memory/3976-149-0x0000000000000000-mapping.dmp

Download
memory/4060-148-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/4060-117-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/4060-118-0x0000000004A80000-0x0000000004F7E000-memory.dmp

Filesize
5.0MB

Download
memory/4060-119-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/4060-116-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/4060-120-0x0000000004CF0000-0x0000000004D38000-memory.dmp

Filesize
288KB

Download
memory/4060-146-0x0000000004F00000-0x0000000004F27000-memory.dmp

Filesize
156KB

Download
memory/4060-114-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads