agenttesla | a939603d2e808fbf991af694ed0dde943ce64232b1d9a23ca695bda945c1e602

General

Target

Scan00908.exe
Size

613KB
MD5

d5f5de6945365b8634d369175419904e
SHA1

fc4e930923f73e41859ad67aecb822fe50caea75
SHA256

4bcc140ce0b15bd7798da9c59b52ee6eb79b3f60ffeba99e7c254885cb84d056
SHA512

a4f2a9f6fb3387cbce25f6bcda6458129109a6ddfc2f06e51a71b0d7f080598209b6a89b400d4c471b0d9feb972635c4b46bb9786264903348f38b22bedc734f

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.miomantenimiento.com
Port:
587
Username:
[email protected]
Password:
mariocastro

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1176-141-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

lunono.exeInstallUtil.exe

pid process

3228 lunono.exe
1176 InstallUtil.exe

pid	process
3228	lunono.exe
1176	InstallUtil.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Scan00908.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Scan00908.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\luno = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\lunono.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

lunono.exe

description pid process target process

PID 3228 set thread context of 1176 3228 lunono.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3228 set thread context of 1176	3228	lunono.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

Scan00908.exelunono.exeInstallUtil.exe

pid	process
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
832	Scan00908.exe
3228	lunono.exe
3228	lunono.exe
3228	lunono.exe
1176	InstallUtil.exe
1176	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Scan00908.exelunono.exeInstallUtil.exe

description pid process

Token: SeDebugPrivilege 832 Scan00908.exe
Token: SeDebugPrivilege 3228 lunono.exe
Token: SeDebugPrivilege 1176 InstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	832	Scan00908.exe
Token: SeDebugPrivilege	3228	lunono.exe
Token: SeDebugPrivilege	1176	InstallUtil.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Scan00908.execmd.exelunono.exe

description	pid	process	target process
PID 832 wrote to memory of 4564	832	Scan00908.exe	cmd.exe
PID 832 wrote to memory of 4564	832	Scan00908.exe	cmd.exe
PID 832 wrote to memory of 4564	832	Scan00908.exe	cmd.exe
PID 4564 wrote to memory of 4248	4564	cmd.exe	reg.exe
PID 4564 wrote to memory of 4248	4564	cmd.exe	reg.exe
PID 4564 wrote to memory of 4248	4564	cmd.exe	reg.exe
PID 832 wrote to memory of 3228	832	Scan00908.exe	lunono.exe
PID 832 wrote to memory of 3228	832	Scan00908.exe	lunono.exe
PID 832 wrote to memory of 3228	832	Scan00908.exe	lunono.exe
PID 3228 wrote to memory of 1176	3228	lunono.exe	InstallUtil.exe
PID 3228 wrote to memory of 1176	3228	lunono.exe	InstallUtil.exe
PID 3228 wrote to memory of 1176	3228	lunono.exe	InstallUtil.exe
PID 3228 wrote to memory of 1176	3228	lunono.exe	InstallUtil.exe
PID 3228 wrote to memory of 1176	3228	lunono.exe	InstallUtil.exe
PID 3228 wrote to memory of 1176	3228	lunono.exe	InstallUtil.exe
PID 3228 wrote to memory of 1176	3228	lunono.exe	InstallUtil.exe
PID 3228 wrote to memory of 1176	3228	lunono.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Scan00908.exe
"C:\Users\Admin\AppData\Local\Temp\Scan00908.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v luno /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\lunono.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v luno /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\lunono.exe"
    3⤵
    - Adds Run key to start application
    PID:4248
- C:\Users\Admin\AppData\Roaming\lunono.exe
  "C:\Users\Admin\AppData\Roaming\lunono.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
C:\Users\Admin\AppData\Roaming\lunono.exe

Filesize
613KB

MD5
d5f5de6945365b8634d369175419904e

SHA1
fc4e930923f73e41859ad67aecb822fe50caea75

SHA256
4bcc140ce0b15bd7798da9c59b52ee6eb79b3f60ffeba99e7c254885cb84d056

SHA512
a4f2a9f6fb3387cbce25f6bcda6458129109a6ddfc2f06e51a71b0d7f080598209b6a89b400d4c471b0d9feb972635c4b46bb9786264903348f38b22bedc734f

Download Submit
C:\Users\Admin\AppData\Roaming\lunono.exe

Filesize
613KB

MD5
d5f5de6945365b8634d369175419904e

SHA1
fc4e930923f73e41859ad67aecb822fe50caea75

SHA256
4bcc140ce0b15bd7798da9c59b52ee6eb79b3f60ffeba99e7c254885cb84d056

SHA512
a4f2a9f6fb3387cbce25f6bcda6458129109a6ddfc2f06e51a71b0d7f080598209b6a89b400d4c471b0d9feb972635c4b46bb9786264903348f38b22bedc734f

Download Submit
memory/832-131-0x0000000006020000-0x00000000065C4000-memory.dmp

Filesize
5.6MB

Download
memory/832-132-0x0000000005B10000-0x0000000005BA2000-memory.dmp

Filesize
584KB

Download
memory/832-133-0x0000000005CB0000-0x0000000005CF4000-memory.dmp

Filesize
272KB

Download
memory/832-130-0x0000000000FB0000-0x0000000001050000-memory.dmp

Filesize
640KB

Download
memory/1176-141-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1176-144-0x00000000058F0000-0x000000000598C000-memory.dmp

Filesize
624KB

Download
memory/1176-140-0x0000000000000000-mapping.dmp

Download
memory/3228-136-0x0000000000000000-mapping.dmp

Download
memory/3228-139-0x0000000004EF0000-0x0000000004F12000-memory.dmp

Filesize
136KB

Download
memory/4248-135-0x0000000000000000-mapping.dmp

Download
memory/4564-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads