agenttesla | db9e101a455cc5601582e029cae66c9d79c9042da5a0faf20aa145e47fd8f42d

General

Target

Akbank Bildirimi.exe
Size

530KB
MD5

6864baa092a9d571a6b2b90994695ec8
SHA1

360b38f1050fa182cb4c579dd7af60d784d3f543
SHA256

6c731b9e623222de40d78c857573d713bafce156a4b42dd445a840fddfe585be
SHA512

91fde501a8d514ff2ffeb12d0deb7721c372ccbf657e962e4ad5b35f0500a6fb5aa7e1b150ea4042ded50d7e898b5e8f432c8ee5ef931a08462a314cc4e5dd80

Score

10^/10

agenttesla collection coreentity evasion keylogger rezer0 spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
gatefee22

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/1680-56-0x0000000000310000-0x0000000000318000-memory.dmp	coreentity

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1700-63-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1700-64-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1700-66-0x000000000044C4AE-mapping.dmp	family_agenttesla
behavioral1/memory/1700-65-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1700-70-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1700-68-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

CoreCCC Packer 1 IoCs

Detects CoreCCC packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/1680-54-0x00000000009F0000-0x0000000000A7A000-memory.dmp	coreccc

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1680-57-0x0000000000650000-0x00000000006A8000-memory.dmp	rezer0

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Akbank Bildirimi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Akbank Bildirimi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Akbank Bildirimi.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Akbank Bildirimi.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Akbank Bildirimi.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Akbank Bildirimi.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Akbank Bildirimi.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Akbank Bildirimi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Akbank Bildirimi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Akbank Bildirimi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Akbank Bildirimi.exe

description pid process target process

PID 1680 set thread context of 1700 1680 Akbank Bildirimi.exe Akbank Bildirimi.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2004 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Akbank Bildirimi.exe

pid process

1700 Akbank Bildirimi.exe
1700 Akbank Bildirimi.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Akbank Bildirimi.exe

description pid process

Token: SeDebugPrivilege 1700 Akbank Bildirimi.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Akbank Bildirimi.exe

pid process

1700 Akbank Bildirimi.exe

description	pid	process	target process
PID 1680 set thread context of 1700	1680	Akbank Bildirimi.exe	Akbank Bildirimi.exe

pid	process
2004	schtasks.exe

pid	process
1700	Akbank Bildirimi.exe
1700	Akbank Bildirimi.exe

description	pid	process
Token: SeDebugPrivilege	1700	Akbank Bildirimi.exe

pid	process
1700	Akbank Bildirimi.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Akbank Bildirimi.exeAkbank Bildirimi.exe

description	pid	process	target process
PID 1680 wrote to memory of 2004	1680	Akbank Bildirimi.exe	schtasks.exe
PID 1680 wrote to memory of 2004	1680	Akbank Bildirimi.exe	schtasks.exe
PID 1680 wrote to memory of 2004	1680	Akbank Bildirimi.exe	schtasks.exe
PID 1680 wrote to memory of 2004	1680	Akbank Bildirimi.exe	schtasks.exe
PID 1680 wrote to memory of 1700	1680	Akbank Bildirimi.exe	Akbank Bildirimi.exe
PID 1680 wrote to memory of 1700	1680	Akbank Bildirimi.exe	Akbank Bildirimi.exe
PID 1680 wrote to memory of 1700	1680	Akbank Bildirimi.exe	Akbank Bildirimi.exe
PID 1680 wrote to memory of 1700	1680	Akbank Bildirimi.exe	Akbank Bildirimi.exe
PID 1680 wrote to memory of 1700	1680	Akbank Bildirimi.exe	Akbank Bildirimi.exe
PID 1680 wrote to memory of 1700	1680	Akbank Bildirimi.exe	Akbank Bildirimi.exe
PID 1680 wrote to memory of 1700	1680	Akbank Bildirimi.exe	Akbank Bildirimi.exe
PID 1680 wrote to memory of 1700	1680	Akbank Bildirimi.exe	Akbank Bildirimi.exe
PID 1680 wrote to memory of 1700	1680	Akbank Bildirimi.exe	Akbank Bildirimi.exe
PID 1700 wrote to memory of 1968	1700	Akbank Bildirimi.exe	netsh.exe
PID 1700 wrote to memory of 1968	1700	Akbank Bildirimi.exe	netsh.exe
PID 1700 wrote to memory of 1968	1700	Akbank Bildirimi.exe	netsh.exe
PID 1700 wrote to memory of 1968	1700	Akbank Bildirimi.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

Akbank Bildirimi.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Akbank Bildirimi.exe

outlook_win_path 1 IoCs

Processes:

Akbank Bildirimi.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Akbank Bildirimi.exe

C:\Users\Admin\AppData\Local\Temp\Akbank Bildirimi.exe
"C:\Users\Admin\AppData\Local\Temp\Akbank Bildirimi.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iCbkAkaGXo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9BC4.tmp"
2⤵
- Creates scheduled task(s)
PID:2004

C:\Users\Admin\AppData\Local\Temp\Akbank Bildirimi.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1700

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:1968

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9BC4.tmp
Filesize
1KB

MD5
df5ce2031c6c8f9232be179cf85037d6

SHA1
e8ba898e3aa525704fe59fa22c9da453b97a165a

SHA256
cc557a890ec044b9f0c4993073bfcf502f7c33252bdac36e903926771978016d

SHA512
1d5775ef786228bc97f265f62c409c812341bc23406bf5fea0c2efa5ef703ca7142f8fe2879266d62d928e32d8030ae4914cc7313a070c2754173521f9b8b4eb

Download Submit
memory/1680-55-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1680-56-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/1680-57-0x0000000000650000-0x00000000006A8000-memory.dmp

Filesize
352KB

Download
memory/1680-54-0x00000000009F0000-0x0000000000A7A000-memory.dmp

Filesize
552KB

Download
memory/1700-61-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1700-63-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1700-60-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1700-64-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1700-66-0x000000000044C4AE-mapping.dmp

Download
memory/1700-65-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1700-70-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1700-68-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1968-72-0x0000000000000000-mapping.dmp

Download
memory/2004-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads