agenttesla | d4803c82bdc773474dda976fa30bc7fbbad2a6192af850c71602419dd500368b

General

Target

new purchase order.rar.exe
Size

523KB
MD5

e50b58922768f36a719aa5e91c086c06
SHA1

f2216e02ce43d07bc6bc8b7fb01461f1d9d1aa91
SHA256

a4d3085a47bf0da4fa557e18de19bada74667d0eaa3dca959990b96215bb25cc
SHA512

ba6be2906587a73203196853952878e017e99ad94edec3195a368edd99f9fb0c2ae3218b84bd943a57f0cdbbd340043c0858b9e050f330dbacdf26b45f32d078

Score

10^/10

agenttesla snakebot evasion keylogger snakebot spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.villanika.gr
Port:
587
Username:
info@villanika.gr
Password:
n2^-9wE@Wl}t

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
snakebot

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4736-140-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Contains SnakeBOT related strings 1 IoCs

snakebot

Processes:

resource	yara_rule
behavioral2/memory/2584-130-0x0000000000F10000-0x0000000000F9C000-memory.dmp	snakebot_strings

Disables Task Manager via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

new purchase order.rar.exe

description pid process target process

PID 2584 set thread context of 4736 2584 new purchase order.rar.exe RegSvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3324 4736 WerFault.exe RegSvcs.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

2936 REG.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe

description	pid	process	target process
PID 2584 set thread context of 4736	2584	new purchase order.rar.exe	RegSvcs.exe

pid	pid_target	process	target process
3324	4736	WerFault.exe	RegSvcs.exe

pid	process
2936	REG.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

new purchase order.rar.exeRegSvcs.exe

pid	process
2584	new purchase order.rar.exe
2584	new purchase order.rar.exe
2584	new purchase order.rar.exe
2584	new purchase order.rar.exe
2584	new purchase order.rar.exe
2584	new purchase order.rar.exe
2584	new purchase order.rar.exe
2584	new purchase order.rar.exe
4736	RegSvcs.exe
4736	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

new purchase order.rar.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 2584 new purchase order.rar.exe
Token: SeDebugPrivilege 4736 RegSvcs.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

new purchase order.rar.exe

pid process

2584 new purchase order.rar.exe
2584 new purchase order.rar.exe

description	pid	process
Token: SeDebugPrivilege	2584	new purchase order.rar.exe
Token: SeDebugPrivilege	4736	RegSvcs.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

new purchase order.rar.exeRegSvcs.exe

description	pid	process	target process
PID 2584 wrote to memory of 2176	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 2176	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 2176	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 4720	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 4720	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 4720	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 4760	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 4760	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 4760	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 2680	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 2680	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 2680	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 4736	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 4736	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 4736	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 4736	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 4736	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 4736	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 4736	2584	new purchase order.rar.exe	RegSvcs.exe
PID 2584 wrote to memory of 4736	2584	new purchase order.rar.exe	RegSvcs.exe
PID 4736 wrote to memory of 2936	4736	RegSvcs.exe	REG.exe
PID 4736 wrote to memory of 2936	4736	RegSvcs.exe	REG.exe
PID 4736 wrote to memory of 2936	4736	RegSvcs.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\new purchase order.rar.exe
"C:\Users\Admin\AppData\Local\Temp\new purchase order.rar.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:4720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:4760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1480
3⤵
- Program crash
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4736 -ip 4736
1⤵
PID:4376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2176-135-0x0000000000000000-mapping.dmp

Download
memory/2584-131-0x00000000083C0000-0x0000000008964000-memory.dmp

Filesize
5.6MB

Download
memory/2584-132-0x0000000007E10000-0x0000000007EA2000-memory.dmp

Filesize
584KB

Download
memory/2584-133-0x0000000007EB0000-0x0000000007EBA000-memory.dmp

Filesize
40KB

Download
memory/2584-134-0x000000000B3D0000-0x000000000B46C000-memory.dmp

Filesize
624KB

Download
memory/2584-130-0x0000000000F10000-0x0000000000F9C000-memory.dmp

Filesize
560KB

Download
memory/2680-138-0x0000000000000000-mapping.dmp

Download
memory/2936-142-0x0000000000000000-mapping.dmp

Download
memory/4720-136-0x0000000000000000-mapping.dmp

Download
memory/4736-139-0x0000000000000000-mapping.dmp

Download
memory/4736-140-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4736-141-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/4736-143-0x00000000066D0000-0x0000000006720000-memory.dmp

Filesize
320KB

Download
memory/4760-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads