agenttesla | 570d4ac0ca764601b37e77aea4b5bf8138bdbaa24f46255fa68b09d4dc62869c

General

Target

hvala na predra?unu.exe
Size

2.0MB
MD5

1d025c80f31210ed9530941eae6633da
SHA1

9af0a3622f58f4b50c9159cead2f672ec4707ece
SHA256

b08f164f0363528f8928f01133da533a2868e12b95177df09b2f11e78510e02d
SHA512

5f5bcbfb2598c299f27aeb667301c8972b18e13306ccc53c3d47ff045bc7f29cbc2ca3e2ac1e9e521a7b2ca13549a635762aecbbc001babb4ebf30c040fd1b79

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.kapackserv.com
Port:
587
Username:
[email protected]
Password:
Gwou86k?R#Xng+ywl~

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4092-134-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

Processes:

hvala na predra_unumgr.exe

pid process

1904 hvala na predra_unumgr.exe

pid	process
1904	hvala na predra_unumgr.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hvala na predra_unumgr.exe	upx
C:\Users\Admin\AppData\Local\Temp\hvala na predra_unumgr.exe	upx

Drops startup file 1 IoCs

Processes:

hvala na predra_unu.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.url	hvala na predra_unu.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UoOfbM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UoOfbM\\UoOfbM.exe"	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

hvala na predra_unu.exe

description pid process target process

PID 1588 set thread context of 4092 1588 hvala na predra_unu.exe MSBuild.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1972 1904 WerFault.exe hvala na predra_unumgr.exe

description	pid	process	target process
PID 1588 set thread context of 4092	1588	hvala na predra_unu.exe	MSBuild.exe

pid	pid_target	process	target process
1972	1904	WerFault.exe	hvala na predra_unumgr.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

MSBuild.exehvala na predra_unu.exe

pid	process
4092	MSBuild.exe
4092	MSBuild.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 4092 MSBuild.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

hvala na predra_unu.exe

pid process

1588 hvala na predra_unu.exe
1588 hvala na predra_unu.exe
1588 hvala na predra_unu.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

hvala na predra_unu.exe

pid process

1588 hvala na predra_unu.exe
1588 hvala na predra_unu.exe
1588 hvala na predra_unu.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

4092 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	4092	MSBuild.exe

pid	process
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe

pid	process
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe
1588	hvala na predra_unu.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

hvala na predra_unu.exeMSBuild.exe

description	pid	process	target process
PID 1588 wrote to memory of 1904	1588	hvala na predra_unu.exe	hvala na predra_unumgr.exe
PID 1588 wrote to memory of 1904	1588	hvala na predra_unu.exe	hvala na predra_unumgr.exe
PID 1588 wrote to memory of 1904	1588	hvala na predra_unu.exe	hvala na predra_unumgr.exe
PID 1588 wrote to memory of 4092	1588	hvala na predra_unu.exe	MSBuild.exe
PID 1588 wrote to memory of 4092	1588	hvala na predra_unu.exe	MSBuild.exe
PID 1588 wrote to memory of 4092	1588	hvala na predra_unu.exe	MSBuild.exe
PID 1588 wrote to memory of 4092	1588	hvala na predra_unu.exe	MSBuild.exe
PID 1588 wrote to memory of 4092	1588	hvala na predra_unu.exe	MSBuild.exe
PID 4092 wrote to memory of 1896	4092	MSBuild.exe	netsh.exe
PID 4092 wrote to memory of 1896	4092	MSBuild.exe	netsh.exe
PID 4092 wrote to memory of 1896	4092	MSBuild.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\hvala na predra_unu.exe
"C:\Users\Admin\AppData\Local\Temp\hvala na predra_unu.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\hvala na predra_unumgr.exe
"C:\Users\Admin\AppData\Local\Temp\hvala na predra_unumgr.exe"
2⤵
- Executes dropped EXE
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 264
3⤵
- Program crash
PID:1972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4092

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1904 -ip 1904
1⤵
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hvala na predra_unumgr.exe
Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvala na predra_unumgr.exe
Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
memory/1588-139-0x0000000055C40000-0x0000000055CD8000-memory.dmp

Filesize
608KB

Download
memory/1588-140-0x0000000077020000-0x00000000770B8000-memory.dmp

Filesize
608KB

Download
memory/1896-142-0x0000000000000000-mapping.dmp

Download
memory/1904-130-0x0000000000000000-mapping.dmp

Download
memory/4092-134-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4092-133-0x0000000000000000-mapping.dmp

Download
memory/4092-141-0x0000000074110000-0x00000000746C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads