agenttesla | 660ea1ce5d2631259675f593f6070ad6cc201551de448254d5bcde3e19d7c7bb

General

Target

SOA.exe
Size

484KB
MD5

43cfa744a47b3858736b6c635fda509b
SHA1

0d7f38330a6c27aafa2d0dc2d137b4f972d22cfc
SHA256

ef7a6fa5553b2f93bbe0ec60a3f636c6e028876ca02ebed0a26ff9ad23732d65
SHA512

e3f117ddc5c57435d5b362dec48619b0d840b10f1c444a99f2dc85c279f3fd9ed2e8459c3622de1c7283878b372a19394128e2efa5562030ff3f52b51bb225e4

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.pro-powersourcing.com
Port:
587
Username:
[email protected]
Password:
china1977

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4648-135-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 2 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SOA.exeSOA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	SOA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	SOA.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exeRegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe"	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SOA.exeSOA.exeSOA.exe

description	pid	process	target process
PID 4652 set thread context of 4648	4652	SOA.exe	RegSvcs.exe
PID 1500 set thread context of 4376	1500	SOA.exe	RegSvcs.exe
PID 3692 set thread context of 2372	3692	SOA.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3776 4648 WerFault.exe RegSvcs.exe
4576 4376 WerFault.exe RegSvcs.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exe

pid process

1916 REG.exe
2584 REG.exe

pid	pid_target	process	target process
3776	4648	WerFault.exe	RegSvcs.exe
4576	4376	WerFault.exe	RegSvcs.exe

pid	process
1916	REG.exe
2584	REG.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

SOA.exeRegSvcs.exeSOA.exeRegSvcs.exeSOA.exeRegSvcs.exe

pid	process
4652	SOA.exe
4648	RegSvcs.exe
4648	RegSvcs.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
4652	SOA.exe
1500	SOA.exe
4376	RegSvcs.exe
4376	RegSvcs.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
4376	RegSvcs.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
1500	SOA.exe
3692	SOA.exe
3692	SOA.exe
3692	SOA.exe
3692	SOA.exe
3692	SOA.exe
2372	RegSvcs.exe
2372	RegSvcs.exe
3692	SOA.exe
3692	SOA.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

SOA.exeRegSvcs.exeSOA.exeRegSvcs.exeSOA.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4652	SOA.exe
Token: SeDebugPrivilege	4648	RegSvcs.exe
Token: SeDebugPrivilege	1500	SOA.exe
Token: SeDebugPrivilege	4376	RegSvcs.exe
Token: SeDebugPrivilege	3692	SOA.exe
Token: SeDebugPrivilege	2372	RegSvcs.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

SOA.exeRegSvcs.exeSOA.exeRegSvcs.exeSOA.exe

description	pid	process	target process
PID 4652 wrote to memory of 4648	4652	SOA.exe	RegSvcs.exe
PID 4652 wrote to memory of 4648	4652	SOA.exe	RegSvcs.exe
PID 4652 wrote to memory of 4648	4652	SOA.exe	RegSvcs.exe
PID 4652 wrote to memory of 4648	4652	SOA.exe	RegSvcs.exe
PID 4652 wrote to memory of 4648	4652	SOA.exe	RegSvcs.exe
PID 4652 wrote to memory of 4648	4652	SOA.exe	RegSvcs.exe
PID 4652 wrote to memory of 4648	4652	SOA.exe	RegSvcs.exe
PID 4652 wrote to memory of 4648	4652	SOA.exe	RegSvcs.exe
PID 4648 wrote to memory of 1916	4648	RegSvcs.exe	REG.exe
PID 4648 wrote to memory of 1916	4648	RegSvcs.exe	REG.exe
PID 4648 wrote to memory of 1916	4648	RegSvcs.exe	REG.exe
PID 4652 wrote to memory of 1500	4652	SOA.exe	SOA.exe
PID 4652 wrote to memory of 1500	4652	SOA.exe	SOA.exe
PID 4652 wrote to memory of 1500	4652	SOA.exe	SOA.exe
PID 1500 wrote to memory of 4376	1500	SOA.exe	RegSvcs.exe
PID 1500 wrote to memory of 4376	1500	SOA.exe	RegSvcs.exe
PID 1500 wrote to memory of 4376	1500	SOA.exe	RegSvcs.exe
PID 1500 wrote to memory of 4376	1500	SOA.exe	RegSvcs.exe
PID 1500 wrote to memory of 4376	1500	SOA.exe	RegSvcs.exe
PID 1500 wrote to memory of 4376	1500	SOA.exe	RegSvcs.exe
PID 1500 wrote to memory of 4376	1500	SOA.exe	RegSvcs.exe
PID 1500 wrote to memory of 4376	1500	SOA.exe	RegSvcs.exe
PID 4376 wrote to memory of 2584	4376	RegSvcs.exe	REG.exe
PID 4376 wrote to memory of 2584	4376	RegSvcs.exe	REG.exe
PID 4376 wrote to memory of 2584	4376	RegSvcs.exe	REG.exe
PID 1500 wrote to memory of 3692	1500	SOA.exe	SOA.exe
PID 1500 wrote to memory of 3692	1500	SOA.exe	SOA.exe
PID 1500 wrote to memory of 3692	1500	SOA.exe	SOA.exe
PID 3692 wrote to memory of 4824	3692	SOA.exe	RegSvcs.exe
PID 3692 wrote to memory of 4824	3692	SOA.exe	RegSvcs.exe
PID 3692 wrote to memory of 4824	3692	SOA.exe	RegSvcs.exe
PID 3692 wrote to memory of 3496	3692	SOA.exe	RegSvcs.exe
PID 3692 wrote to memory of 3496	3692	SOA.exe	RegSvcs.exe
PID 3692 wrote to memory of 3496	3692	SOA.exe	RegSvcs.exe
PID 3692 wrote to memory of 2372	3692	SOA.exe	RegSvcs.exe
PID 3692 wrote to memory of 2372	3692	SOA.exe	RegSvcs.exe
PID 3692 wrote to memory of 2372	3692	SOA.exe	RegSvcs.exe
PID 3692 wrote to memory of 2372	3692	SOA.exe	RegSvcs.exe
PID 3692 wrote to memory of 2372	3692	SOA.exe	RegSvcs.exe
PID 3692 wrote to memory of 2372	3692	SOA.exe	RegSvcs.exe
PID 3692 wrote to memory of 2372	3692	SOA.exe	RegSvcs.exe
PID 3692 wrote to memory of 2372	3692	SOA.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 1568
3⤵
- Program crash
PID:3776

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1560
4⤵
- Program crash
PID:4576

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
4⤵
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
4⤵
PID:3496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4648 -ip 4648
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4376 -ip 4376
1⤵
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA.exe.log
Filesize
507B

MD5
1c985cdad5556063862ee63e3473c93a

SHA1
133c14d8d4643caba072ea007b67b3e8574ee7be

SHA256
ea9307d2150c0abfb0c5734155b0e8d9f8097a7ff7f34f4030db6809c181c5bc

SHA512
fd906e2649be66ec5a38cebaf3e1391f281b3303518827ce3efab50b969e73d6a4c4bc52b641afa16758bdf2251d8fbd3a3a246f7f671510f4db8695b32540ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\CpSnJ\CpSnJ.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
846B

MD5
5b2d17233558878a82ee464d04f58b59

SHA1
47ebffcad0b4c358df0d6a06ef335cb6aab0ab20

SHA256
5b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542

SHA512
d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b

Download Submit
memory/1500-139-0x0000000000000000-mapping.dmp

Download
memory/1916-137-0x0000000000000000-mapping.dmp

Download
memory/2372-149-0x0000000000000000-mapping.dmp

Download
memory/2584-143-0x0000000000000000-mapping.dmp

Download
memory/3496-148-0x0000000000000000-mapping.dmp

Download
memory/3692-145-0x0000000000000000-mapping.dmp

Download
memory/4376-140-0x0000000000000000-mapping.dmp

Download
memory/4648-134-0x0000000000000000-mapping.dmp

Download
memory/4648-138-0x0000000006C50000-0x0000000006CA0000-memory.dmp

Filesize
320KB

Download
memory/4648-136-0x0000000006610000-0x0000000006676000-memory.dmp

Filesize
408KB

Download
memory/4648-135-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4652-130-0x0000000000070000-0x00000000000F2000-memory.dmp

Filesize
520KB

Download
memory/4652-133-0x0000000007090000-0x0000000007634000-memory.dmp

Filesize
5.6MB

Download
memory/4652-132-0x0000000006260000-0x00000000062FC000-memory.dmp

Filesize
624KB

Download
memory/4652-131-0x000000000A090000-0x000000000A122000-memory.dmp

Filesize
584KB

Download
memory/4824-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads