agenttesla | 8d3fe61298bc4342e3c45b69015271807db0e851b6f34800b37435cc8867179c

General

Target

Doc-94220990687845334878-109.exe
Size

612KB
MD5

369a4d5f137e2aaf60e20d636f77b743
SHA1

8cbdcc5df2d74e92a3f18138303af8a789e44ecc
SHA256

f9cdc89e99a471146ead33ee9c93bca0ecc286e65cf326c4450a9d6d8597153b
SHA512

b0a2ad49496de1cadb9b181ec263fa76cafbea3e7b4c221237ab07e7ad8b71f1c2d382d6843005d01a7f993b25fd685eb15ea499439303fb894a4f710856fff0

Score

10^/10

agenttesla agilenet keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.chenklins.com
Port:
587
Username:
kelv@chenklins.com
Password:
7AY8Uj[tEN)a

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1004-71-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1004-72-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1004-73-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1004-74-0x0000000000446F3E-mapping.dmp	family_agenttesla
behavioral1/memory/1004-77-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1004-79-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

chukwusystem.exeInstallUtil.exe

pid process

2036 chukwusystem.exe
1004 InstallUtil.exe
Loads dropped DLL 2 IoCs

Processes:

Doc-94220990687845334878-109.exechukwusystem.exe

pid process

1212 Doc-94220990687845334878-109.exe
2036 chukwusystem.exe

pid	process
2036	chukwusystem.exe
1004	InstallUtil.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1212-55-0x0000000000360000-0x0000000000374000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\chukwusystem = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\chukwusystem.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chukwusystem.exe

description pid process target process

PID 2036 set thread context of 1004 2036 chukwusystem.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2036 set thread context of 1004	2036	chukwusystem.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Doc-94220990687845334878-109.exechukwusystem.exeInstallUtil.exe

pid	process
1212	Doc-94220990687845334878-109.exe
1212	Doc-94220990687845334878-109.exe
2036	chukwusystem.exe
2036	chukwusystem.exe
2036	chukwusystem.exe
1004	InstallUtil.exe
1004	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Doc-94220990687845334878-109.exechukwusystem.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1212	Doc-94220990687845334878-109.exe
Token: SeDebugPrivilege	2036	chukwusystem.exe
Token: SeDebugPrivilege	1004	InstallUtil.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Doc-94220990687845334878-109.execmd.exechukwusystem.exe

description	pid	process	target process
PID 1212 wrote to memory of 1688	1212	Doc-94220990687845334878-109.exe	cmd.exe
PID 1212 wrote to memory of 1688	1212	Doc-94220990687845334878-109.exe	cmd.exe
PID 1212 wrote to memory of 1688	1212	Doc-94220990687845334878-109.exe	cmd.exe
PID 1212 wrote to memory of 1688	1212	Doc-94220990687845334878-109.exe	cmd.exe
PID 1688 wrote to memory of 1648	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 1648	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 1648	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 1648	1688	cmd.exe	reg.exe
PID 1212 wrote to memory of 2036	1212	Doc-94220990687845334878-109.exe	chukwusystem.exe
PID 1212 wrote to memory of 2036	1212	Doc-94220990687845334878-109.exe	chukwusystem.exe
PID 1212 wrote to memory of 2036	1212	Doc-94220990687845334878-109.exe	chukwusystem.exe
PID 1212 wrote to memory of 2036	1212	Doc-94220990687845334878-109.exe	chukwusystem.exe
PID 2036 wrote to memory of 1004	2036	chukwusystem.exe	InstallUtil.exe
PID 2036 wrote to memory of 1004	2036	chukwusystem.exe	InstallUtil.exe
PID 2036 wrote to memory of 1004	2036	chukwusystem.exe	InstallUtil.exe
PID 2036 wrote to memory of 1004	2036	chukwusystem.exe	InstallUtil.exe
PID 2036 wrote to memory of 1004	2036	chukwusystem.exe	InstallUtil.exe
PID 2036 wrote to memory of 1004	2036	chukwusystem.exe	InstallUtil.exe
PID 2036 wrote to memory of 1004	2036	chukwusystem.exe	InstallUtil.exe
PID 2036 wrote to memory of 1004	2036	chukwusystem.exe	InstallUtil.exe
PID 2036 wrote to memory of 1004	2036	chukwusystem.exe	InstallUtil.exe
PID 2036 wrote to memory of 1004	2036	chukwusystem.exe	InstallUtil.exe
PID 2036 wrote to memory of 1004	2036	chukwusystem.exe	InstallUtil.exe
PID 2036 wrote to memory of 1004	2036	chukwusystem.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Doc-94220990687845334878-109.exe
"C:\Users\Admin\AppData\Local\Temp\Doc-94220990687845334878-109.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v chukwusystem /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chukwusystem.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v chukwusystem /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\chukwusystem.exe"
3⤵
- Adds Run key to start application
PID:1648

C:\Users\Admin\AppData\Roaming\chukwusystem.exe
"C:\Users\Admin\AppData\Roaming\chukwusystem.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Roaming\chukwusystem.exe
Filesize
612KB

MD5
369a4d5f137e2aaf60e20d636f77b743

SHA1
8cbdcc5df2d74e92a3f18138303af8a789e44ecc

SHA256
f9cdc89e99a471146ead33ee9c93bca0ecc286e65cf326c4450a9d6d8597153b

SHA512
b0a2ad49496de1cadb9b181ec263fa76cafbea3e7b4c221237ab07e7ad8b71f1c2d382d6843005d01a7f993b25fd685eb15ea499439303fb894a4f710856fff0

Download Submit
C:\Users\Admin\AppData\Roaming\chukwusystem.exe
Filesize
612KB

MD5
369a4d5f137e2aaf60e20d636f77b743

SHA1
8cbdcc5df2d74e92a3f18138303af8a789e44ecc

SHA256
f9cdc89e99a471146ead33ee9c93bca0ecc286e65cf326c4450a9d6d8597153b

SHA512
b0a2ad49496de1cadb9b181ec263fa76cafbea3e7b4c221237ab07e7ad8b71f1c2d382d6843005d01a7f993b25fd685eb15ea499439303fb894a4f710856fff0

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Roaming\chukwusystem.exe
Filesize
612KB

MD5
369a4d5f137e2aaf60e20d636f77b743

SHA1
8cbdcc5df2d74e92a3f18138303af8a789e44ecc

SHA256
f9cdc89e99a471146ead33ee9c93bca0ecc286e65cf326c4450a9d6d8597153b

SHA512
b0a2ad49496de1cadb9b181ec263fa76cafbea3e7b4c221237ab07e7ad8b71f1c2d382d6843005d01a7f993b25fd685eb15ea499439303fb894a4f710856fff0

Download Submit
memory/1004-73-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1004-74-0x0000000000446F3E-mapping.dmp

Download
memory/1004-80-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1004-79-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1004-77-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1004-72-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1004-71-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1004-69-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1004-68-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1212-56-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/1212-57-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/1212-54-0x0000000000AB0000-0x0000000000B50000-memory.dmp

Filesize
640KB

Download
memory/1212-55-0x0000000000360000-0x0000000000374000-memory.dmp

Filesize
80KB

Download
memory/1212-58-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/1648-60-0x0000000000000000-mapping.dmp

Download
memory/1688-59-0x0000000000000000-mapping.dmp

Download
memory/2036-65-0x0000000000180000-0x0000000000220000-memory.dmp

Filesize
640KB

Download
memory/2036-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads