agenttesla | 772599fcf2724b31d7e8015dc109370b0f19ef0ae78390f7c225f7e526664fb5

General

Target

New Request for Quotation.exe
Size

554KB
MD5

45ea380f7cff0d5d4c529f2ae389bea0
SHA1

18ceae3e46865cd7b0e0718b6d536c70f3c631dc
SHA256

44c339f76dceed23e3bb1ec0ba2b8f7ae626877a46b50b197d3a03541cadfb0a
SHA512

0b32ceb42a48f9719c8238bd8f6f4136e8cccf472ff65033a35251d63188eb0a522a8cd2f279867e1f34af036c867326117d774359ed6e1f56afebbeb70e7943

Score

10^/10

agenttesla agilenet keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.okgrocer.co.za
Port:
587
Username:
[email protected]
Password:
Theunis@123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/464-76-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/464-77-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/464-78-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/464-79-0x000000000044CACE-mapping.dmp	family_agenttesla
behavioral1/memory/464-81-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/464-83-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

Processes:

winservie.exe

pid process

1828 winservie.exe
Loads dropped DLL 6 IoCs

Processes:

powershell.exeWerFault.exe

pid process

628 powershell.exe
672 WerFault.exe
672 WerFault.exe
672 WerFault.exe
672 WerFault.exe
672 WerFault.exe

pid	process
1828	winservie.exe

pid	process
628	powershell.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1984-55-0x0000000000200000-0x0000000000216000-memory.dmp	agile_net
behavioral1/memory/1828-70-0x0000000000200000-0x0000000000216000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\winservie = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\winservie.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

winservie.exe

description pid process target process

PID 1828 set thread context of 464 1828 winservie.exe InstallUtil.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

672 1828 WerFault.exe winservie.exe

description	pid	process	target process
PID 1828 set thread context of 464	1828	winservie.exe	InstallUtil.exe

pid	pid_target	process	target process
672	1828	WerFault.exe	winservie.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

New Request for Quotation.exepowershell.exewinservie.exeInstallUtil.exe

pid	process
1984	New Request for Quotation.exe
1984	New Request for Quotation.exe
628	powershell.exe
628	powershell.exe
1828	winservie.exe
1828	winservie.exe
1828	winservie.exe
464	InstallUtil.exe
464	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

New Request for Quotation.exepowershell.exewinservie.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1984	New Request for Quotation.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	1828	winservie.exe
Token: SeDebugPrivilege	464	InstallUtil.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

New Request for Quotation.execmd.exepowershell.exewinservie.exe

description	pid	process	target process
PID 1984 wrote to memory of 1240	1984	New Request for Quotation.exe	cmd.exe
PID 1984 wrote to memory of 1240	1984	New Request for Quotation.exe	cmd.exe
PID 1984 wrote to memory of 1240	1984	New Request for Quotation.exe	cmd.exe
PID 1984 wrote to memory of 1240	1984	New Request for Quotation.exe	cmd.exe
PID 1240 wrote to memory of 1728	1240	cmd.exe	reg.exe
PID 1240 wrote to memory of 1728	1240	cmd.exe	reg.exe
PID 1240 wrote to memory of 1728	1240	cmd.exe	reg.exe
PID 1240 wrote to memory of 1728	1240	cmd.exe	reg.exe
PID 1984 wrote to memory of 628	1984	New Request for Quotation.exe	powershell.exe
PID 1984 wrote to memory of 628	1984	New Request for Quotation.exe	powershell.exe
PID 1984 wrote to memory of 628	1984	New Request for Quotation.exe	powershell.exe
PID 1984 wrote to memory of 628	1984	New Request for Quotation.exe	powershell.exe
PID 628 wrote to memory of 1828	628	powershell.exe	winservie.exe
PID 628 wrote to memory of 1828	628	powershell.exe	winservie.exe
PID 628 wrote to memory of 1828	628	powershell.exe	winservie.exe
PID 628 wrote to memory of 1828	628	powershell.exe	winservie.exe
PID 1828 wrote to memory of 464	1828	winservie.exe	InstallUtil.exe
PID 1828 wrote to memory of 464	1828	winservie.exe	InstallUtil.exe
PID 1828 wrote to memory of 464	1828	winservie.exe	InstallUtil.exe
PID 1828 wrote to memory of 464	1828	winservie.exe	InstallUtil.exe
PID 1828 wrote to memory of 464	1828	winservie.exe	InstallUtil.exe
PID 1828 wrote to memory of 464	1828	winservie.exe	InstallUtil.exe
PID 1828 wrote to memory of 464	1828	winservie.exe	InstallUtil.exe
PID 1828 wrote to memory of 464	1828	winservie.exe	InstallUtil.exe
PID 1828 wrote to memory of 464	1828	winservie.exe	InstallUtil.exe
PID 1828 wrote to memory of 464	1828	winservie.exe	InstallUtil.exe
PID 1828 wrote to memory of 464	1828	winservie.exe	InstallUtil.exe
PID 1828 wrote to memory of 464	1828	winservie.exe	InstallUtil.exe
PID 1828 wrote to memory of 672	1828	winservie.exe	WerFault.exe
PID 1828 wrote to memory of 672	1828	winservie.exe	WerFault.exe
PID 1828 wrote to memory of 672	1828	winservie.exe	WerFault.exe
PID 1828 wrote to memory of 672	1828	winservie.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\New Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\New Request for Quotation.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v winservie /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\winservie.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v winservie /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\winservie.exe"
3⤵
- Adds Run key to start application
PID:1728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Roaming\winservie.exe
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Roaming\winservie.exe
"C:\Users\Admin\AppData\Roaming\winservie.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 900
4⤵
- Loads dropped DLL
- Program crash
PID:672

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\winservie.exe
Filesize
554KB

MD5
45ea380f7cff0d5d4c529f2ae389bea0

SHA1
18ceae3e46865cd7b0e0718b6d536c70f3c631dc

SHA256
44c339f76dceed23e3bb1ec0ba2b8f7ae626877a46b50b197d3a03541cadfb0a

SHA512
0b32ceb42a48f9719c8238bd8f6f4136e8cccf472ff65033a35251d63188eb0a522a8cd2f279867e1f34af036c867326117d774359ed6e1f56afebbeb70e7943

Download Submit
C:\Users\Admin\AppData\Roaming\winservie.exe
Filesize
554KB

MD5
45ea380f7cff0d5d4c529f2ae389bea0

SHA1
18ceae3e46865cd7b0e0718b6d536c70f3c631dc

SHA256
44c339f76dceed23e3bb1ec0ba2b8f7ae626877a46b50b197d3a03541cadfb0a

SHA512
0b32ceb42a48f9719c8238bd8f6f4136e8cccf472ff65033a35251d63188eb0a522a8cd2f279867e1f34af036c867326117d774359ed6e1f56afebbeb70e7943

Download Submit
\Users\Admin\AppData\Roaming\winservie.exe
Filesize
554KB

MD5
45ea380f7cff0d5d4c529f2ae389bea0

SHA1
18ceae3e46865cd7b0e0718b6d536c70f3c631dc

SHA256
44c339f76dceed23e3bb1ec0ba2b8f7ae626877a46b50b197d3a03541cadfb0a

SHA512
0b32ceb42a48f9719c8238bd8f6f4136e8cccf472ff65033a35251d63188eb0a522a8cd2f279867e1f34af036c867326117d774359ed6e1f56afebbeb70e7943

Download Submit
\Users\Admin\AppData\Roaming\winservie.exe
Filesize
554KB

MD5
45ea380f7cff0d5d4c529f2ae389bea0

SHA1
18ceae3e46865cd7b0e0718b6d536c70f3c631dc

SHA256
44c339f76dceed23e3bb1ec0ba2b8f7ae626877a46b50b197d3a03541cadfb0a

SHA512
0b32ceb42a48f9719c8238bd8f6f4136e8cccf472ff65033a35251d63188eb0a522a8cd2f279867e1f34af036c867326117d774359ed6e1f56afebbeb70e7943

Download Submit
\Users\Admin\AppData\Roaming\winservie.exe
Filesize
554KB

MD5
45ea380f7cff0d5d4c529f2ae389bea0

SHA1
18ceae3e46865cd7b0e0718b6d536c70f3c631dc

SHA256
44c339f76dceed23e3bb1ec0ba2b8f7ae626877a46b50b197d3a03541cadfb0a

SHA512
0b32ceb42a48f9719c8238bd8f6f4136e8cccf472ff65033a35251d63188eb0a522a8cd2f279867e1f34af036c867326117d774359ed6e1f56afebbeb70e7943

Download Submit
\Users\Admin\AppData\Roaming\winservie.exe
Filesize
554KB

MD5
45ea380f7cff0d5d4c529f2ae389bea0

SHA1
18ceae3e46865cd7b0e0718b6d536c70f3c631dc

SHA256
44c339f76dceed23e3bb1ec0ba2b8f7ae626877a46b50b197d3a03541cadfb0a

SHA512
0b32ceb42a48f9719c8238bd8f6f4136e8cccf472ff65033a35251d63188eb0a522a8cd2f279867e1f34af036c867326117d774359ed6e1f56afebbeb70e7943

Download Submit
\Users\Admin\AppData\Roaming\winservie.exe
Filesize
554KB

MD5
45ea380f7cff0d5d4c529f2ae389bea0

SHA1
18ceae3e46865cd7b0e0718b6d536c70f3c631dc

SHA256
44c339f76dceed23e3bb1ec0ba2b8f7ae626877a46b50b197d3a03541cadfb0a

SHA512
0b32ceb42a48f9719c8238bd8f6f4136e8cccf472ff65033a35251d63188eb0a522a8cd2f279867e1f34af036c867326117d774359ed6e1f56afebbeb70e7943

Download Submit
\Users\Admin\AppData\Roaming\winservie.exe
Filesize
554KB

MD5
45ea380f7cff0d5d4c529f2ae389bea0

SHA1
18ceae3e46865cd7b0e0718b6d536c70f3c631dc

SHA256
44c339f76dceed23e3bb1ec0ba2b8f7ae626877a46b50b197d3a03541cadfb0a

SHA512
0b32ceb42a48f9719c8238bd8f6f4136e8cccf472ff65033a35251d63188eb0a522a8cd2f279867e1f34af036c867326117d774359ed6e1f56afebbeb70e7943

Download Submit
memory/464-81-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/464-83-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/464-78-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/464-79-0x000000000044CACE-mapping.dmp

Download
memory/464-73-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/464-74-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/464-76-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/464-77-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/628-64-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/628-62-0x0000000000000000-mapping.dmp

Download
memory/672-85-0x0000000000000000-mapping.dmp

Download
memory/1240-59-0x0000000000000000-mapping.dmp

Download
memory/1728-60-0x0000000000000000-mapping.dmp

Download
memory/1828-69-0x0000000000140000-0x00000000001D0000-memory.dmp

Filesize
576KB

Download
memory/1828-72-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/1828-70-0x0000000000200000-0x0000000000216000-memory.dmp

Filesize
88KB

Download
memory/1828-67-0x0000000000000000-mapping.dmp

Download
memory/1984-54-0x0000000001330000-0x00000000013C0000-memory.dmp

Filesize
576KB

Download
memory/1984-61-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/1984-58-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/1984-57-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/1984-56-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

Filesize
8KB

Download
memory/1984-55-0x0000000000200000-0x0000000000216000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads