agenttesla | d8582456e1b2bddc01c3e32d8953c20455b624f67fcb38b236a28ce103b0f45d

General

Target

swift-copy.exe
Size

605KB
MD5

268ee61883da5c0e12519e1cdcaa0e8e
SHA1

9f3c34b806ba935a5d19bbb2936792669f8bc6fe
SHA256

d8582456e1b2bddc01c3e32d8953c20455b624f67fcb38b236a28ce103b0f45d
SHA512

81861255daa21047c4c94eed86c20bec0be193cf0aa6ac8bce6a8cd70a6edfe9d9eb977f164650357cac463ca9e1e55d60f43706f6b78bb9e3daa959acbf7173

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.diva-italia.com
Port:
587
Username:
[email protected]
Password:
rr.@%5LjgLz7

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/728-134-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/728-135-0x000000000043761E-mapping.dmp	family_agenttesla

Drops file in Drivers directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

swift-copy.exe

description pid process target process

PID 1872 set thread context of 728 1872 swift-copy.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1760 schtasks.exe

description	pid	process	target process
PID 1872 set thread context of 728	1872	swift-copy.exe	RegSvcs.exe

pid	process
1760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

swift-copy.exepowershell.exeRegSvcs.exe

pid	process
1872	swift-copy.exe
1872	swift-copy.exe
1872	swift-copy.exe
1872	swift-copy.exe
2824	powershell.exe
728	RegSvcs.exe
728	RegSvcs.exe
2824	powershell.exe
2824	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

swift-copy.exepowershell.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1872 swift-copy.exe
Token: SeDebugPrivilege 2824 powershell.exe
Token: SeDebugPrivilege 728 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1872	swift-copy.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	728	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

swift-copy.exe

description	pid	process	target process
PID 1872 wrote to memory of 2824	1872	swift-copy.exe	powershell.exe
PID 1872 wrote to memory of 2824	1872	swift-copy.exe	powershell.exe
PID 1872 wrote to memory of 2824	1872	swift-copy.exe	powershell.exe
PID 1872 wrote to memory of 1760	1872	swift-copy.exe	schtasks.exe
PID 1872 wrote to memory of 1760	1872	swift-copy.exe	schtasks.exe
PID 1872 wrote to memory of 1760	1872	swift-copy.exe	schtasks.exe
PID 1872 wrote to memory of 1096	1872	swift-copy.exe	RegSvcs.exe
PID 1872 wrote to memory of 1096	1872	swift-copy.exe	RegSvcs.exe
PID 1872 wrote to memory of 1096	1872	swift-copy.exe	RegSvcs.exe
PID 1872 wrote to memory of 728	1872	swift-copy.exe	RegSvcs.exe
PID 1872 wrote to memory of 728	1872	swift-copy.exe	RegSvcs.exe
PID 1872 wrote to memory of 728	1872	swift-copy.exe	RegSvcs.exe
PID 1872 wrote to memory of 728	1872	swift-copy.exe	RegSvcs.exe
PID 1872 wrote to memory of 728	1872	swift-copy.exe	RegSvcs.exe
PID 1872 wrote to memory of 728	1872	swift-copy.exe	RegSvcs.exe
PID 1872 wrote to memory of 728	1872	swift-copy.exe	RegSvcs.exe
PID 1872 wrote to memory of 728	1872	swift-copy.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\swift-copy.exe
"C:\Users\Admin\AppData\Local\Temp\swift-copy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NDReoVDSERhDFm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NDReoVDSERhDFm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp25E3.tmp"
2⤵
- Creates scheduled task(s)
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:1096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp25E3.tmp
MD5
dde970f6228adeb4b04de2396666993c

SHA1
e8b5f691dfbefd987bcfa72583179ee6ed153e9d

SHA256
933e5f092a34cf8602fb045552d894d72f0a3306289e286060706c4ac7d69c37

SHA512
cd4adb220ed2f82aa04675da9c811473e4aaeaa773c3cff7c8412c2b845b60fb7908f40d0800ad39e47685a17842726ff8312e037c6d1cb283262ce190a9e061

Download Submit
memory/728-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/728-135-0x000000000043761E-mapping.dmp

Download
memory/728-148-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/1760-128-0x0000000000000000-mapping.dmp

Download
memory/1872-122-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1872-125-0x0000000008FB0000-0x0000000008FB1000-memory.dmp

Filesize
4KB

Download
memory/1872-126-0x00000000091E0000-0x000000000926E000-memory.dmp

Filesize
568KB

Download
memory/1872-118-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1872-124-0x0000000005BD0000-0x0000000005BD6000-memory.dmp

Filesize
24KB

Download
memory/1872-123-0x0000000005700000-0x0000000005BFE000-memory.dmp

Filesize
5.0MB

Download
memory/1872-121-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/1872-120-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/2824-127-0x0000000000000000-mapping.dmp

Download
memory/2824-147-0x0000000007362000-0x0000000007363000-memory.dmp

Filesize
4KB

Download
memory/2824-131-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/2824-130-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/2824-138-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/2824-140-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/2824-142-0x0000000008040000-0x0000000008041000-memory.dmp

Filesize
4KB

Download
memory/2824-143-0x00000000081D0000-0x00000000081D1000-memory.dmp

Filesize
4KB

Download
memory/2824-144-0x00000000085E0000-0x00000000085E1000-memory.dmp

Filesize
4KB

Download
memory/2824-145-0x0000000008A40000-0x0000000008A41000-memory.dmp

Filesize
4KB

Download
memory/2824-146-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/2824-132-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/2824-129-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/2824-149-0x0000000008930000-0x0000000008931000-memory.dmp

Filesize
4KB

Download
memory/2824-150-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/2824-157-0x0000000009890000-0x00000000098C3000-memory.dmp

Filesize
204KB

Download
memory/2824-164-0x0000000009870000-0x0000000009871000-memory.dmp

Filesize
4KB

Download
memory/2824-169-0x00000000099C0000-0x00000000099C1000-memory.dmp

Filesize
4KB

Download
memory/2824-170-0x000000007E980000-0x000000007E981000-memory.dmp

Filesize
4KB

Download
memory/2824-171-0x0000000009BA0000-0x0000000009BA1000-memory.dmp

Filesize
4KB

Download
memory/2824-240-0x0000000007363000-0x0000000007364000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads