agenttesla | ff97953e40782435e5aab8bf6469f7817f45f1c1f7f10961b406002e781fe6e7

General

Target

SEB_BANK.EXE
Size

27KB
MD5

ed3366cb849f6d62bb381e66d96b42ff
SHA1

41dd0051e764c1d2bf820b753c41f249fd25ba8a
SHA256

13f1dfeffed355ec22cb812a98ae895fa0ac4f5e83f9ff5598649b3933f0d53e
SHA512

6423e833a759a989a6d23ee03d244771d05c2a292ecb420e5b641ec047fa33fec2ba7e96d909474689480804298baa3d54f554f4e11954b742cd6c10dda7feec

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.ingeniumhea.com
Port:
587
Username:
mantenimiento@ingeniumhea.com
Password:
IngeniumM18

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1636-163-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/1636-164-0x0000000000436D0E-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

SEB_BANK.EXE

description pid process target process

PID 2756 set thread context of 1636 2756 SEB_BANK.EXE SEB_BANK.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1236 PING.EXE
1056 PING.EXE

description	pid	process	target process
PID 2756 set thread context of 1636	2756	SEB_BANK.EXE	SEB_BANK.EXE

pid	process
1236	PING.EXE
1056	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exeSEB_BANK.EXESEB_BANK.EXE

pid	process
552	powershell.exe
552	powershell.exe
552	powershell.exe
972	powershell.exe
972	powershell.exe
972	powershell.exe
2756	SEB_BANK.EXE
2756	SEB_BANK.EXE
1636	SEB_BANK.EXE
1636	SEB_BANK.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SEB_BANK.EXEpowershell.exepowershell.exeSEB_BANK.EXE

description	pid	process
Token: SeDebugPrivilege	2756	SEB_BANK.EXE
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	1636	SEB_BANK.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

SEB_BANK.EXEpowershell.exepowershell.exe

description	pid	process	target process
PID 2756 wrote to memory of 552	2756	SEB_BANK.EXE	powershell.exe
PID 2756 wrote to memory of 552	2756	SEB_BANK.EXE	powershell.exe
PID 2756 wrote to memory of 552	2756	SEB_BANK.EXE	powershell.exe
PID 552 wrote to memory of 1236	552	powershell.exe	PING.EXE
PID 552 wrote to memory of 1236	552	powershell.exe	PING.EXE
PID 552 wrote to memory of 1236	552	powershell.exe	PING.EXE
PID 2756 wrote to memory of 972	2756	SEB_BANK.EXE	powershell.exe
PID 2756 wrote to memory of 972	2756	SEB_BANK.EXE	powershell.exe
PID 2756 wrote to memory of 972	2756	SEB_BANK.EXE	powershell.exe
PID 972 wrote to memory of 1056	972	powershell.exe	PING.EXE
PID 972 wrote to memory of 1056	972	powershell.exe	PING.EXE
PID 972 wrote to memory of 1056	972	powershell.exe	PING.EXE
PID 2756 wrote to memory of 1636	2756	SEB_BANK.EXE	SEB_BANK.EXE
PID 2756 wrote to memory of 1636	2756	SEB_BANK.EXE	SEB_BANK.EXE
PID 2756 wrote to memory of 1636	2756	SEB_BANK.EXE	SEB_BANK.EXE
PID 2756 wrote to memory of 1636	2756	SEB_BANK.EXE	SEB_BANK.EXE
PID 2756 wrote to memory of 1636	2756	SEB_BANK.EXE	SEB_BANK.EXE
PID 2756 wrote to memory of 1636	2756	SEB_BANK.EXE	SEB_BANK.EXE
PID 2756 wrote to memory of 1636	2756	SEB_BANK.EXE	SEB_BANK.EXE
PID 2756 wrote to memory of 1636	2756	SEB_BANK.EXE	SEB_BANK.EXE

C:\Users\Admin\AppData\Local\Temp\SEB_BANK.EXE
"C:\Users\Admin\AppData\Local\Temp\SEB_BANK.EXE"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" bing.com
3⤵
- Runs ping.exe
PID:1236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" bing.com
3⤵
- Runs ping.exe
PID:1056

C:\Users\Admin\AppData\Local\Temp\SEB_BANK.EXE
C:\Users\Admin\AppData\Local\Temp\SEB_BANK.EXE
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SEB_BANK.EXE.log
MD5
1755d02418241b16d29f6f19bb49952e

SHA1
55a2a978b98c43820f21a8b7597515d804e43d2c

SHA256
ebeb444cf2bd1945e7be508cc782963cf8cf9cedb1680a776f41eb0bf763a561

SHA512
6cd5449f39199e276ea335af0721384ba18009932c8eed5a36e43f1e08b0890291fb9d033aee8c6e8c88899a44504cb222404137ea6b0d847a49a14971f47c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
e33ed3d4cc9b2e5a08ae25747ef47620

SHA1
e2f4cfdd39bcb2eb1c05648a37a3d8536eaf19b7

SHA256
0e7093450fb6bb5201b4291033daf6099881421ab47b122972e0249ef5b45a4f

SHA512
9e990f7ca202c7ecc7a21dd2433055b71bd62f2e524f4702b674316effeb8fa37e891d40f3e6a960380dd7967033c7a7f235e73a3c434e97495e532309b4f95e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
90b2a9d5b59a62ccc7922df5ee7540d3

SHA1
5822f69311f2346d941778722262611e333fe80d

SHA256
b241cb2c23f3cd297c958e2c43c3062bab31dbea368a122cd56c753d56718b6e

SHA512
79de00e2e6e4f08b2eb37e91034d877b9954f7bd11caeb3fec04a369e850737ae5b6c6cb4e07b066c21ac399a21fd04ae1a8eae859ee076975770b665a801a21

Download Submit
memory/552-136-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/552-125-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/552-121-0x0000000000000000-mapping.dmp

Download
memory/552-122-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/552-123-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/552-124-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/552-151-0x0000000004B04000-0x0000000004B06000-memory.dmp

Filesize
8KB

Download
memory/552-127-0x0000000004B02000-0x0000000004B03000-memory.dmp

Filesize
4KB

Download
memory/552-126-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/552-128-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/552-129-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/552-130-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/552-131-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

Filesize
4KB

Download
memory/552-132-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/552-133-0x0000000008880000-0x0000000008881000-memory.dmp

Filesize
4KB

Download
memory/552-134-0x00000000085B0000-0x00000000085B1000-memory.dmp

Filesize
4KB

Download
memory/552-150-0x0000000004B03000-0x0000000004B04000-memory.dmp

Filesize
4KB

Download
memory/972-156-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/972-137-0x0000000000000000-mapping.dmp

Download
memory/972-157-0x0000000004933000-0x0000000004934000-memory.dmp

Filesize
4KB

Download
memory/972-158-0x0000000004934000-0x0000000004936000-memory.dmp

Filesize
8KB

Download
memory/972-140-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/972-153-0x0000000004932000-0x0000000004933000-memory.dmp

Filesize
4KB

Download
memory/972-152-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/972-139-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1056-155-0x0000000000000000-mapping.dmp

Download
memory/1236-135-0x0000000000000000-mapping.dmp

Download
memory/1636-170-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/1636-169-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/1636-171-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/1636-163-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1636-164-0x0000000000436D0E-mapping.dmp

Download
memory/2756-120-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/2756-162-0x0000000007280000-0x00000000072A6000-memory.dmp

Filesize
152KB

Download
memory/2756-161-0x0000000002273000-0x0000000002275000-memory.dmp

Filesize
8KB

Download
memory/2756-159-0x0000000007850000-0x00000000078C6000-memory.dmp

Filesize
472KB

Download
memory/2756-117-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/2756-119-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2756-118-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/2756-115-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads