agenttesla | aca668c90184195a053af9c46b7c920733c941dc7986403f9a218bc17af4ecf5

General

Target

DHL TRACKING AWB.exe
Size

431KB
MD5

04ee28357218fa30d113db9c8d775079
SHA1

619d2ce20b1ae15f0fc0c6dd4d6b659271ed71e5
SHA256

7ae58eeb4ed1bd534122941fa3bb1c2971a982497566757b7a4b062c2756745d
SHA512

b7f9826b56e38990a4ca1522487533aeca42a3e205f1ced89d6e46c05b17f1383f8eaf5064bb8aebcb139878ffb97e2eebb3bdbef869bb3cc7e5899e24f140f3

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.microtechlab.in
Port:
587
Username:
[email protected]
Password:
pune@123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1844-138-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Disables Task Manager via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DHL TRACKING AWB.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	DHL TRACKING AWB.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL TRACKING AWB.exe

description pid process target process

PID 4176 set thread context of 1844 4176 DHL TRACKING AWB.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4780 1844 WerFault.exe RegSvcs.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5104 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

4320 REG.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

DHL TRACKING AWB.exeRegSvcs.exe

pid process

4176 DHL TRACKING AWB.exe
1844 RegSvcs.exe
1844 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DHL TRACKING AWB.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 4176 DHL TRACKING AWB.exe
Token: SeDebugPrivilege 1844 RegSvcs.exe

description	pid	process	target process
PID 4176 set thread context of 1844	4176	DHL TRACKING AWB.exe	RegSvcs.exe

pid	pid_target	process	target process
4780	1844	WerFault.exe	RegSvcs.exe

pid	process
5104	schtasks.exe

pid	process
4320	REG.exe

pid	process
4176	DHL TRACKING AWB.exe
1844	RegSvcs.exe
1844	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4176	DHL TRACKING AWB.exe
Token: SeDebugPrivilege	1844	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

DHL TRACKING AWB.exeRegSvcs.exe

description	pid	process	target process
PID 4176 wrote to memory of 5104	4176	DHL TRACKING AWB.exe	schtasks.exe
PID 4176 wrote to memory of 5104	4176	DHL TRACKING AWB.exe	schtasks.exe
PID 4176 wrote to memory of 5104	4176	DHL TRACKING AWB.exe	schtasks.exe
PID 4176 wrote to memory of 1844	4176	DHL TRACKING AWB.exe	RegSvcs.exe
PID 4176 wrote to memory of 1844	4176	DHL TRACKING AWB.exe	RegSvcs.exe
PID 4176 wrote to memory of 1844	4176	DHL TRACKING AWB.exe	RegSvcs.exe
PID 4176 wrote to memory of 1844	4176	DHL TRACKING AWB.exe	RegSvcs.exe
PID 4176 wrote to memory of 1844	4176	DHL TRACKING AWB.exe	RegSvcs.exe
PID 4176 wrote to memory of 1844	4176	DHL TRACKING AWB.exe	RegSvcs.exe
PID 4176 wrote to memory of 1844	4176	DHL TRACKING AWB.exe	RegSvcs.exe
PID 4176 wrote to memory of 1844	4176	DHL TRACKING AWB.exe	RegSvcs.exe
PID 1844 wrote to memory of 4320	1844	RegSvcs.exe	REG.exe
PID 1844 wrote to memory of 4320	1844	RegSvcs.exe	REG.exe
PID 1844 wrote to memory of 4320	1844	RegSvcs.exe	REG.exe
PID 1844 wrote to memory of 872	1844	RegSvcs.exe	netsh.exe
PID 1844 wrote to memory of 872	1844	RegSvcs.exe	netsh.exe
PID 1844 wrote to memory of 872	1844	RegSvcs.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\DHL TRACKING AWB.exe
"C:\Users\Admin\AppData\Local\Temp\DHL TRACKING AWB.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BDujLJKyjL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B89.tmp"
2⤵
- Creates scheduled task(s)
PID:5104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:4320

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1580
3⤵
- Program crash
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1844 -ip 1844
1⤵
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7B89.tmp
Filesize
1KB

MD5
e588a9136375de55e575b576ca07311a

SHA1
e49b436b4b3b6ca956f67b62e5b9cad7e05f78ed

SHA256
db9c49af40c97cac98e327a18b0ab136dc24b983c6fba2158b9fa5d5b0cf4364

SHA512
ad4647c151ac5d6f0f086d4b88b98a22d8ccd3f3bcb2fcf9ee5318911341d80b5ec10d978d54d4644c5b0efcc59b8275e2c2e4920b3a0afe25a828ca00ec4148

Download Submit
memory/872-142-0x0000000000000000-mapping.dmp

Download
memory/1844-139-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/1844-137-0x0000000000000000-mapping.dmp

Download
memory/1844-138-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1844-141-0x00000000065D0000-0x0000000006620000-memory.dmp

Filesize
320KB

Download
memory/4176-133-0x00000000057C0000-0x00000000057CA000-memory.dmp

Filesize
40KB

Download
memory/4176-134-0x00000000090C0000-0x000000000915C000-memory.dmp

Filesize
624KB

Download
memory/4176-132-0x0000000005800000-0x0000000005892000-memory.dmp

Filesize
584KB

Download
memory/4176-130-0x0000000000DA0000-0x0000000000E12000-memory.dmp

Filesize
456KB

Download
memory/4176-131-0x0000000005EB0000-0x0000000006454000-memory.dmp

Filesize
5.6MB

Download
memory/4320-140-0x0000000000000000-mapping.dmp

Download
memory/5104-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads