agenttesla | 978cfe7b4cf22cde74a9544abfcbbb99fcb58606039d520d1aa6d48599f7bfcc

General

Target

e ssssssssss.exe
Size

532KB
MD5

6a7bea227f0410cd0a29d5ec46dc2162
SHA1

c96ddd2b3e3926b030cb06636c963fa3f05e0f88
SHA256

fe4deeb84628c321aff86bc7fd0edfa70aebc3f2dd302c18cf8a5715cb8b09e8
SHA512

76c663adb6809e3d817d4e6b3e0900841351b5a48211554ff53d992e0572693e5526cab1a13c7b6f1696011b14059b67dabcf342244224e8f486d40308840c38

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.mkkarakosemobilya.com
Port:
587
Username:
[email protected]
Password:
MKkkmbly@2019

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1168-134-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e ssssssssss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eOqyl = "C:\\JVJHUWZP\\eOqylq\\eOqylqyCC.vbs"	e ssssssssss.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e ssssssssss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e ssssssssss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	e ssssssssss.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e ssssssssss.exe

description pid process target process

PID 2004 set thread context of 1168 2004 e ssssssssss.exe InstallUtil.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1796 1168 WerFault.exe InstallUtil.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

InstallUtil.exe

pid process

1168 InstallUtil.exe
1168 InstallUtil.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e ssssssssss.exe

pid process

2004 e ssssssssss.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

InstallUtil.exe

description pid process

Token: SeDebugPrivilege 1168 InstallUtil.exe

description	pid	process	target process
PID 2004 set thread context of 1168	2004	e ssssssssss.exe	InstallUtil.exe

pid	pid_target	process	target process
1796	1168	WerFault.exe	InstallUtil.exe

pid	process
1168	InstallUtil.exe
1168	InstallUtil.exe

pid	process
2004	e ssssssssss.exe

description	pid	process
Token: SeDebugPrivilege	1168	InstallUtil.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e ssssssssss.exe

description	pid	process	target process
PID 2004 wrote to memory of 1168	2004	e ssssssssss.exe	InstallUtil.exe
PID 2004 wrote to memory of 1168	2004	e ssssssssss.exe	InstallUtil.exe
PID 2004 wrote to memory of 1168	2004	e ssssssssss.exe	InstallUtil.exe
PID 2004 wrote to memory of 1168	2004	e ssssssssss.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\e ssssssssss.exe
"C:\Users\Admin\AppData\Local\Temp\e ssssssssss.exe"
1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1476
3⤵
- Program crash
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1168 -ip 1168
1⤵
PID:5056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1168-133-0x0000000000000000-mapping.dmp

Download
memory/1168-134-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1168-135-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/1168-136-0x0000000005250000-0x00000000052EC000-memory.dmp

Filesize
624KB

Download
memory/1168-137-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/1168-138-0x0000000006390000-0x00000000063E0000-memory.dmp

Filesize
320KB

Download
memory/2004-130-0x00000000003B0000-0x000000000043C000-memory.dmp

Filesize
560KB

Download
memory/2004-131-0x0000000005430000-0x00000000059D4000-memory.dmp

Filesize
5.6MB

Download
memory/2004-132-0x0000000004CF0000-0x0000000004CF3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads