agenttesla | c34205b4e8f316a75c6819a8c642461fd9b05b4f9862eb6e4f3e52fd11ef52bf

General

Target

Please Confirm Your Shipment Address.exe
Size

4.6MB
MD5

ffab58789a8d188f10ae6b7a9c73c36a
SHA1

48bf4df2095bf4bb8fa53ddd10fbb0fef80dc494
SHA256

f93ca4cd3ed07276972b89aee75211d52551197a2d1c5c8c3f01ed85aa13a4ea
SHA512

c13ff615c4ae03dd33a5c4766be184c029aef24560703b8f59cf9fa54755dd9d68589234919ac4d02c77a05480f4c3795c53a1283cda1583ced8ea93f7dd322c

Score

10^/10

agenttesla agilenet keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 1 IoCs

Processes:

Mecury.exe

pid process

588 Mecury.exe
Loads dropped DLL 1 IoCs

Processes:

Please Confirm Your Shipment Address.exe

pid process

1724 Please Confirm Your Shipment Address.exe

pid	process
588	Mecury.exe

pid	process
1724	Please Confirm Your Shipment Address.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1724-56-0x00000000003C0000-0x00000000003D0000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Processs = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Local\\Mecury.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Please Confirm Your Shipment Address.exeMecury.exe

pid process

1724 Please Confirm Your Shipment Address.exe
1724 Please Confirm Your Shipment Address.exe
588 Mecury.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Please Confirm Your Shipment Address.exeMecury.exe

description pid process

Token: SeDebugPrivilege 1724 Please Confirm Your Shipment Address.exe
Token: SeDebugPrivilege 588 Mecury.exe

pid	process
1724	Please Confirm Your Shipment Address.exe
1724	Please Confirm Your Shipment Address.exe
588	Mecury.exe

description	pid	process
Token: SeDebugPrivilege	1724	Please Confirm Your Shipment Address.exe
Token: SeDebugPrivilege	588	Mecury.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Please Confirm Your Shipment Address.execmd.exe

description	pid	process	target process
PID 1724 wrote to memory of 1764	1724	Please Confirm Your Shipment Address.exe	cmd.exe
PID 1724 wrote to memory of 1764	1724	Please Confirm Your Shipment Address.exe	cmd.exe
PID 1724 wrote to memory of 1764	1724	Please Confirm Your Shipment Address.exe	cmd.exe
PID 1724 wrote to memory of 1764	1724	Please Confirm Your Shipment Address.exe	cmd.exe
PID 1764 wrote to memory of 1956	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 1956	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 1956	1764	cmd.exe	reg.exe
PID 1764 wrote to memory of 1956	1764	cmd.exe	reg.exe
PID 1724 wrote to memory of 588	1724	Please Confirm Your Shipment Address.exe	Mecury.exe
PID 1724 wrote to memory of 588	1724	Please Confirm Your Shipment Address.exe	Mecury.exe
PID 1724 wrote to memory of 588	1724	Please Confirm Your Shipment Address.exe	Mecury.exe
PID 1724 wrote to memory of 588	1724	Please Confirm Your Shipment Address.exe	Mecury.exe

C:\Users\Admin\AppData\Local\Temp\Please Confirm Your Shipment Address.exe
"C:\Users\Admin\AppData\Local\Temp\Please Confirm Your Shipment Address.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Processs /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\Mecury.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Processs /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\Mecury.exe"
3⤵
- Adds Run key to start application
PID:1956

C:\Users\Admin\AppData\Local\Mecury.exe
"C:\Users\Admin\AppData\Local\Mecury.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mecury.exe
Filesize
4.6MB

MD5
ffab58789a8d188f10ae6b7a9c73c36a

SHA1
48bf4df2095bf4bb8fa53ddd10fbb0fef80dc494

SHA256
f93ca4cd3ed07276972b89aee75211d52551197a2d1c5c8c3f01ed85aa13a4ea

SHA512
c13ff615c4ae03dd33a5c4766be184c029aef24560703b8f59cf9fa54755dd9d68589234919ac4d02c77a05480f4c3795c53a1283cda1583ced8ea93f7dd322c

Download Submit
C:\Users\Admin\AppData\Local\Mecury.exe
Filesize
4.6MB

MD5
ffab58789a8d188f10ae6b7a9c73c36a

SHA1
48bf4df2095bf4bb8fa53ddd10fbb0fef80dc494

SHA256
f93ca4cd3ed07276972b89aee75211d52551197a2d1c5c8c3f01ed85aa13a4ea

SHA512
c13ff615c4ae03dd33a5c4766be184c029aef24560703b8f59cf9fa54755dd9d68589234919ac4d02c77a05480f4c3795c53a1283cda1583ced8ea93f7dd322c

Download Submit
\Users\Admin\AppData\Local\Mecury.exe
Filesize
4.6MB

MD5
ffab58789a8d188f10ae6b7a9c73c36a

SHA1
48bf4df2095bf4bb8fa53ddd10fbb0fef80dc494

SHA256
f93ca4cd3ed07276972b89aee75211d52551197a2d1c5c8c3f01ed85aa13a4ea

SHA512
c13ff615c4ae03dd33a5c4766be184c029aef24560703b8f59cf9fa54755dd9d68589234919ac4d02c77a05480f4c3795c53a1283cda1583ced8ea93f7dd322c

Download Submit
memory/588-60-0x0000000000000000-mapping.dmp

Download
memory/588-63-0x0000000000BA0000-0x0000000001046000-memory.dmp

Filesize
4.6MB

Download
memory/1724-54-0x0000000001040000-0x00000000014E6000-memory.dmp

Filesize
4.6MB

Download
memory/1724-55-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download
memory/1724-56-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/1764-57-0x0000000000000000-mapping.dmp

Download
memory/1956-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads