agenttesla | 37c712662321d51383b50cc3973ba187706384859c6ff4f9e43e8be3c9e6dfe4

General

Target

b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
Size

610KB
MD5

b3a27137bfa9f92fe6b4cc7f0aaf08f4
SHA1

266e5d674bd1fe6135bd74658bb8a1d58777bbe0
SHA256

37c712662321d51383b50cc3973ba187706384859c6ff4f9e43e8be3c9e6dfe4
SHA512

2aec6a1ffd6a1df55ca456ed80b42b28f10f98ab11ab1cfefad29529037e433a7cb527ab081fbcddcf38c70adf2b0bbb484e936f42a5720fbfc2943b7d96a37a

Score

10^/10

agenttesla neshta keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://nanyainc.cf/
Port:
21
Username:
[email protected]
Password:
7qB+iH=KrUUT

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4260-138-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/4260-141-0x0000000005010000-0x00000000055B4000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeb3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

pid process

2160 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
4260 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

pid	process
2160	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
4260	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

description pid process target process

PID 2160 set thread context of 4260 2160 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

description	pid	process	target process
PID 2160 set thread context of 4260	2160	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

Drops file in Windows directory 9 IoCs

Processes:

TiWorker.exeb3a27137bfa9f92fe6b4cc7f0aaf08f4.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\svchost.com	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

pid process

4260 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
4260 b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

pid	process
4260	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
4260	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

b3a27137bfa9f92fe6b4cc7f0aaf08f4.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	4260	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
Token: SeShutdownPrivilege	2352	svchost.exe
Token: SeCreatePagefilePrivilege	2352	svchost.exe
Token: SeShutdownPrivilege	2352	svchost.exe
Token: SeCreatePagefilePrivilege	2352	svchost.exe
Token: SeShutdownPrivilege	2352	svchost.exe
Token: SeCreatePagefilePrivilege	2352	svchost.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe
Token: SeBackupPrivilege	1736	TiWorker.exe
Token: SeRestorePrivilege	1736	TiWorker.exe
Token: SeSecurityPrivilege	1736	TiWorker.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

b3a27137bfa9f92fe6b4cc7f0aaf08f4.exeb3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

description	pid	process	target process
PID 312 wrote to memory of 2160	312	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
PID 312 wrote to memory of 2160	312	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
PID 312 wrote to memory of 2160	312	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
PID 2160 wrote to memory of 4260	2160	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
PID 2160 wrote to memory of 4260	2160	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
PID 2160 wrote to memory of 4260	2160	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
PID 2160 wrote to memory of 4260	2160	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
PID 2160 wrote to memory of 4260	2160	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
PID 2160 wrote to memory of 4260	2160	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
PID 2160 wrote to memory of 4260	2160	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
PID 2160 wrote to memory of 4260	2160	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe	b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe

C:\Users\Admin\AppData\Local\Temp\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
"C:\Users\Admin\AppData\Local\Temp\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:312

C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
MD5
cc2133f03997221244a4a684e8826f26

SHA1
6ec6ffa9180b886fdfd0fa8cdeabbbd3c4391737

SHA256
4b17ac7e6e9b1dc14be2216ce0ff5ba66c80e0aed3c680e5269b875f914ee65c

SHA512
d7b537fe99caa57b36a025bc750ee3f7c2187bab555148768799f48615cdd14c41394bfdca6f2e810b085a6a7982b44c2aec70fa202bb716f248e5f4f4105f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
MD5
cc2133f03997221244a4a684e8826f26

SHA1
6ec6ffa9180b886fdfd0fa8cdeabbbd3c4391737

SHA256
4b17ac7e6e9b1dc14be2216ce0ff5ba66c80e0aed3c680e5269b875f914ee65c

SHA512
d7b537fe99caa57b36a025bc750ee3f7c2187bab555148768799f48615cdd14c41394bfdca6f2e810b085a6a7982b44c2aec70fa202bb716f248e5f4f4105f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\b3a27137bfa9f92fe6b4cc7f0aaf08f4.exe
MD5
cc2133f03997221244a4a684e8826f26

SHA1
6ec6ffa9180b886fdfd0fa8cdeabbbd3c4391737

SHA256
4b17ac7e6e9b1dc14be2216ce0ff5ba66c80e0aed3c680e5269b875f914ee65c

SHA512
d7b537fe99caa57b36a025bc750ee3f7c2187bab555148768799f48615cdd14c41394bfdca6f2e810b085a6a7982b44c2aec70fa202bb716f248e5f4f4105f91

Download Submit
memory/2160-136-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/2160-134-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/2160-135-0x0000000005C30000-0x0000000005CCC000-memory.dmp

Filesize
624KB

Download
memory/2160-133-0x0000000073B80000-0x0000000074330000-memory.dmp

Filesize
7.7MB

Download
memory/2160-137-0x0000000006630000-0x0000000006BD4000-memory.dmp

Filesize
5.6MB

Download
memory/2160-132-0x0000000000F50000-0x0000000000FE4000-memory.dmp

Filesize
592KB

Download
memory/2352-154-0x000001E26E1E0000-0x000001E26E1E4000-memory.dmp

Filesize
16KB

Download
memory/4260-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4260-140-0x0000000073B80000-0x0000000074330000-memory.dmp

Filesize
7.7MB

Download
memory/4260-141-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/4260-155-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads