agenttesla | 86c120781b2c6aa88912ec927794a872ca51d239db2e3123953989767929dc64

General

Target

Doc#162020094753525765344650094480.pdf.exe
Size

4.7MB
MD5

ffceee8b1fe197a9cac46ae74a66bccd
SHA1

806284efb14a8a27f44eee9564957659eec05282
SHA256

5bf9c6dd99a8c7ee59efcf09ff2b4ee5b5f51aab9ad91cd2aa0fca4b0ae975ba
SHA512

9d1cb0248107409eac2def450ebc99173e67340ee79a6f62c9b8273e318b0c17b53f914f122bb79d02f55af86516852100996c5152b5e15917a6c490c53e7627

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
chizzy25@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/632-140-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

dfgrwhgrhterurw.exeAddInProcess32.exe

pid process

3276 dfgrwhgrhterurw.exe
632 AddInProcess32.exe

pid	process
3276	dfgrwhgrhterurw.exe
632	AddInProcess32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Doc#162020094753525765344650094480.pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Doc#162020094753525765344650094480.pdf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hfggdfsgbnvbdgerfghs = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\dfgrwhgrhterurw.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dfgrwhgrhterurw.exe

description pid process target process

PID 3276 set thread context of 632 3276 dfgrwhgrhterurw.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3276 set thread context of 632	3276	dfgrwhgrhterurw.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

Doc#162020094753525765344650094480.pdf.exedfgrwhgrhterurw.exe

pid	process
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
4808	Doc#162020094753525765344650094480.pdf.exe
3276	dfgrwhgrhterurw.exe
3276	dfgrwhgrhterurw.exe
3276	dfgrwhgrhterurw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Doc#162020094753525765344650094480.pdf.exedfgrwhgrhterurw.exe

description pid process

Token: SeDebugPrivilege 4808 Doc#162020094753525765344650094480.pdf.exe
Token: SeDebugPrivilege 3276 dfgrwhgrhterurw.exe

description	pid	process
Token: SeDebugPrivilege	4808	Doc#162020094753525765344650094480.pdf.exe
Token: SeDebugPrivilege	3276	dfgrwhgrhterurw.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Doc#162020094753525765344650094480.pdf.execmd.exedfgrwhgrhterurw.exe

description	pid	process	target process
PID 4808 wrote to memory of 3840	4808	Doc#162020094753525765344650094480.pdf.exe	cmd.exe
PID 4808 wrote to memory of 3840	4808	Doc#162020094753525765344650094480.pdf.exe	cmd.exe
PID 4808 wrote to memory of 3840	4808	Doc#162020094753525765344650094480.pdf.exe	cmd.exe
PID 3840 wrote to memory of 2304	3840	cmd.exe	reg.exe
PID 3840 wrote to memory of 2304	3840	cmd.exe	reg.exe
PID 3840 wrote to memory of 2304	3840	cmd.exe	reg.exe
PID 4808 wrote to memory of 3276	4808	Doc#162020094753525765344650094480.pdf.exe	dfgrwhgrhterurw.exe
PID 4808 wrote to memory of 3276	4808	Doc#162020094753525765344650094480.pdf.exe	dfgrwhgrhterurw.exe
PID 4808 wrote to memory of 3276	4808	Doc#162020094753525765344650094480.pdf.exe	dfgrwhgrhterurw.exe
PID 3276 wrote to memory of 632	3276	dfgrwhgrhterurw.exe	AddInProcess32.exe
PID 3276 wrote to memory of 632	3276	dfgrwhgrhterurw.exe	AddInProcess32.exe
PID 3276 wrote to memory of 632	3276	dfgrwhgrhterurw.exe	AddInProcess32.exe
PID 3276 wrote to memory of 632	3276	dfgrwhgrhterurw.exe	AddInProcess32.exe
PID 3276 wrote to memory of 632	3276	dfgrwhgrhterurw.exe	AddInProcess32.exe
PID 3276 wrote to memory of 632	3276	dfgrwhgrhterurw.exe	AddInProcess32.exe
PID 3276 wrote to memory of 632	3276	dfgrwhgrhterurw.exe	AddInProcess32.exe
PID 3276 wrote to memory of 632	3276	dfgrwhgrhterurw.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\Doc#162020094753525765344650094480.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Doc#162020094753525765344650094480.pdf.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v hfggdfsgbnvbdgerfghs /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\dfgrwhgrhterurw.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v hfggdfsgbnvbdgerfghs /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\dfgrwhgrhterurw.exe"
3⤵
- Adds Run key to start application
PID:2304

C:\Users\Admin\AppData\Roaming\dfgrwhgrhterurw.exe
"C:\Users\Admin\AppData\Roaming\dfgrwhgrhterurw.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
- Executes dropped EXE
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
C:\Users\Admin\AppData\Roaming\dfgrwhgrhterurw.exe
Filesize
4.7MB

MD5
ffceee8b1fe197a9cac46ae74a66bccd

SHA1
806284efb14a8a27f44eee9564957659eec05282

SHA256
5bf9c6dd99a8c7ee59efcf09ff2b4ee5b5f51aab9ad91cd2aa0fca4b0ae975ba

SHA512
9d1cb0248107409eac2def450ebc99173e67340ee79a6f62c9b8273e318b0c17b53f914f122bb79d02f55af86516852100996c5152b5e15917a6c490c53e7627

Download Submit
C:\Users\Admin\AppData\Roaming\dfgrwhgrhterurw.exe
Filesize
4.7MB

MD5
ffceee8b1fe197a9cac46ae74a66bccd

SHA1
806284efb14a8a27f44eee9564957659eec05282

SHA256
5bf9c6dd99a8c7ee59efcf09ff2b4ee5b5f51aab9ad91cd2aa0fca4b0ae975ba

SHA512
9d1cb0248107409eac2def450ebc99173e67340ee79a6f62c9b8273e318b0c17b53f914f122bb79d02f55af86516852100996c5152b5e15917a6c490c53e7627

Download Submit
memory/632-143-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/632-140-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/632-139-0x0000000000000000-mapping.dmp

Download
memory/2304-135-0x0000000000000000-mapping.dmp

Download
memory/3276-136-0x0000000000000000-mapping.dmp

Download
memory/3840-134-0x0000000000000000-mapping.dmp

Download
memory/4808-130-0x0000000000680000-0x0000000000B3C000-memory.dmp

Filesize
4.7MB

Download
memory/4808-133-0x0000000006290000-0x00000000062D4000-memory.dmp

Filesize
272KB

Download
memory/4808-132-0x0000000005E30000-0x0000000005EC2000-memory.dmp

Filesize
584KB

Download
memory/4808-131-0x0000000006300000-0x00000000068A4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads