agenttesla | bb6424f6051455bd165527d6fd1fc1e6d48292562eb17ea80425018625126f3d

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-en-20210920
submitted
20-10-2021 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order specification & Drawing_Docx.scr
Size

1.1MB
MD5

822545bbbff1e68337bfd9e87ab08aeb
SHA1

3182db783dd2713d9971bf6539304c83eacc0b35
SHA256

bb6424f6051455bd165527d6fd1fc1e6d48292562eb17ea80425018625126f3d
SHA512

397f993ffd183ab7651fe3a00f18fbea0712e39fb0ef4377e33b7b91961b1bbaef8ed381e9d547bd81472dcb309fe0365b10316fbf5dae44b1fe1f2f6c496a90

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
secure300.inmotionhosting.com
Port:
587
Username:
[email protected]
Password:
HCBo3_tl-nKP1@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1536-74-0x00000000003B6CEE-mapping.dmp	family_agenttesla
behavioral1/memory/1536-73-0x0000000000380000-0x00000000008A4000-memory.dmp	family_agenttesla
behavioral1/memory/1536-77-0x0000000000380000-0x00000000008A4000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

ahkfkeufr.pifRegSvcs.exe

pid process

1280 ahkfkeufr.pif
1536 RegSvcs.exe

pid	process
1280	ahkfkeufr.pif
1536	RegSvcs.exe

Loads dropped DLL 5 IoCs

Processes:

Order specification & Drawing_Docx.scrahkfkeufr.pif

pid	process
2040	Order specification & Drawing_Docx.scr
2040	Order specification & Drawing_Docx.scr
2040	Order specification & Drawing_Docx.scr
2040	Order specification & Drawing_Docx.scr
1280	ahkfkeufr.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

ahkfkeufr.pif

description pid process target process

PID 1280 set thread context of 1536 1280 ahkfkeufr.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

ahkfkeufr.pifRegSvcs.exe

pid process

1280 ahkfkeufr.pif
1536 RegSvcs.exe
1536 RegSvcs.exe
1536 RegSvcs.exe
1536 RegSvcs.exe
1536 RegSvcs.exe
1536 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1536 RegSvcs.exe

description	pid	process	target process
PID 1280 set thread context of 1536	1280	ahkfkeufr.pif	RegSvcs.exe

pid	process
1280	ahkfkeufr.pif
1536	RegSvcs.exe
1536	RegSvcs.exe
1536	RegSvcs.exe
1536	RegSvcs.exe
1536	RegSvcs.exe
1536	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1536	RegSvcs.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

Order specification & Drawing_Docx.scrahkfkeufr.pif

description	pid	process	target process
PID 2040 wrote to memory of 1280	2040	Order specification & Drawing_Docx.scr	ahkfkeufr.pif
PID 2040 wrote to memory of 1280	2040	Order specification & Drawing_Docx.scr	ahkfkeufr.pif
PID 2040 wrote to memory of 1280	2040	Order specification & Drawing_Docx.scr	ahkfkeufr.pif
PID 2040 wrote to memory of 1280	2040	Order specification & Drawing_Docx.scr	ahkfkeufr.pif
PID 1280 wrote to memory of 1796	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1796	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1796	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1796	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1460	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1460	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1460	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1460	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1312	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1312	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1312	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1312	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1544	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1544	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1544	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1544	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 432	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 432	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 432	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 432	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1128	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1128	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1128	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1128	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1828	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1828	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1828	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1828	1280	ahkfkeufr.pif	mshta.exe
PID 1280 wrote to memory of 1536	1280	ahkfkeufr.pif	RegSvcs.exe
PID 1280 wrote to memory of 1536	1280	ahkfkeufr.pif	RegSvcs.exe
PID 1280 wrote to memory of 1536	1280	ahkfkeufr.pif	RegSvcs.exe
PID 1280 wrote to memory of 1536	1280	ahkfkeufr.pif	RegSvcs.exe
PID 1280 wrote to memory of 1536	1280	ahkfkeufr.pif	RegSvcs.exe
PID 1280 wrote to memory of 1536	1280	ahkfkeufr.pif	RegSvcs.exe
PID 1280 wrote to memory of 1536	1280	ahkfkeufr.pif	RegSvcs.exe
PID 1280 wrote to memory of 1536	1280	ahkfkeufr.pif	RegSvcs.exe
PID 1280 wrote to memory of 1536	1280	ahkfkeufr.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Order specification & Drawing_Docx.scr
"C:\Users\Admin\AppData\Local\Temp\Order specification & Drawing_Docx.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Roaming\62970013\ahkfkeufr.pif
"C:\Users\Admin\AppData\Roaming\62970013\ahkfkeufr.pif" vprwhvm.wod
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:1796

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:1460

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:1312

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:1544

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:432

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:1128

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Roaming\62970013\ahkfkeufr.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
C:\Users\Admin\AppData\Roaming\62970013\peqthxvu.docx
MD5
e4d97482af25d2c18b87cdf02113a1a0

SHA1
76679844eddb4f9d0aad648c33a8b15e89f758de

SHA256
7f5270d4c0bce50b1e557220dde83320fd149c7057d334e1337b6ad334d628dd

SHA512
3a179f01a4a466db744b2645a31a612bf4ca32e6f94973b6ceb3c6aad5e5e653748b440425137473be0029fc2195dd1404972eb3716cb164397956c992307776

Download Submit
C:\Users\Admin\AppData\Roaming\62970013\spfbrrst.txi
MD5
aa1550ffd37fe72cae4741caee105f1c

SHA1
eb8a3a4b10271abc12b6555341971f37d96439ba

SHA256
158dc88256b52a0ce7e10eea1c3c4129459ed5d40a23ba7025db8d01a4a5862a

SHA512
883196f891aefe75ee577bebd8705d246c2250beb87b06db0204da8d87b778232cf45a43d8dac64842dd7535eda1065975d718c84f094606de2ad5c12d06db0f

Download Submit
C:\Users\Admin\AppData\Roaming\62970013\vprwhvm.wod
MD5
ce806ddd0b4cedbc25f3f8b01b981e64

SHA1
12f610463cfd7d5bd5c8bb395702502dd6b800af

SHA256
89a6e83fd4722a7f7cab32b5d68b3134af1aa18171dd37af10dabe31de9378a8

SHA512
a1e6837bf66c305add37b3185722e029e7dd27fb250db96c18b2bdf12a9df4b7e3e7810d74480735a1d730eccefb95b90117d6081ba99e56a5129070991bd5ba

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Roaming\62970013\ahkfkeufr.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
\Users\Admin\AppData\Roaming\62970013\ahkfkeufr.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
\Users\Admin\AppData\Roaming\62970013\ahkfkeufr.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
\Users\Admin\AppData\Roaming\62970013\ahkfkeufr.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
memory/432-67-0x0000000000000000-mapping.dmp

Download
memory/1128-68-0x0000000000000000-mapping.dmp

Download
memory/1280-58-0x0000000000000000-mapping.dmp

Download
memory/1312-65-0x0000000000000000-mapping.dmp

Download
memory/1460-64-0x0000000000000000-mapping.dmp

Download
memory/1536-72-0x0000000000380000-0x00000000008A4000-memory.dmp

Filesize
5.1MB

Download
memory/1536-74-0x00000000003B6CEE-mapping.dmp

Download
memory/1536-73-0x0000000000380000-0x00000000008A4000-memory.dmp

Filesize
5.1MB

Download
memory/1536-77-0x0000000000380000-0x00000000008A4000-memory.dmp

Filesize
5.1MB

Download
memory/1536-79-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/1544-66-0x0000000000000000-mapping.dmp

Download
memory/1796-63-0x0000000000000000-mapping.dmp

Download
memory/1828-69-0x0000000000000000-mapping.dmp

Download
memory/2040-53-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads