agenttesla | f634a9d7eaeb9dcdefff98bfe6a850190c16dd9ab8a2e50fee3fa5acf5757a14

General

Target

duk (3).exe
Size

511KB
MD5

04b191c4242a98c5b14ed1de9c61ef8c
SHA1

4c4fafb67933eb18100acdc76128f42dc9a9525f
SHA256

bbfd3959ef22e9fa18ed11cbc9b8f31ac36e86f0d055d2c57b81ee19f9c54175
SHA512

c613ece1002132dfacf60eb41a0d1910e3e3c314db9b53f13b9e9eb34c4db9553538f3fc12f22c3ddf5ca705a53f64517783b292c240c20ec0d002a8e202144b

Score

10^/10

agenttesla snakebot evasion keylogger snakebot spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.hotel71.com.bd
Port:
587
Username:
chat@hotel71.com.bd
Password:
9+^va&phP1v9

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
snakebot

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4476-136-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla

Contains SnakeBOT related strings 1 IoCs

snakebot

Processes:

resource	yara_rule
behavioral2/memory/1160-130-0x0000000000D90000-0x0000000000E1A000-memory.dmp	snakebot_strings

Disables Task Manager via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

duk (3).exe

description pid process target process

PID 1160 set thread context of 4476 1160 duk (3).exe RegSvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2896 4476 WerFault.exe RegSvcs.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

2484 REG.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

4476 RegSvcs.exe
4476 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

duk (3).exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1160 duk (3).exe
Token: SeDebugPrivilege 4476 RegSvcs.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

duk (3).exe

pid process

1160 duk (3).exe
1160 duk (3).exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe

description	pid	process	target process
PID 1160 set thread context of 4476	1160	duk (3).exe	RegSvcs.exe

pid	pid_target	process	target process
2896	4476	WerFault.exe	RegSvcs.exe

pid	process
2484	REG.exe

pid	process
4476	RegSvcs.exe
4476	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1160	duk (3).exe
Token: SeDebugPrivilege	4476	RegSvcs.exe

pid	process
1160	duk (3).exe
1160	duk (3).exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

duk (3).exeRegSvcs.exe

description	pid	process	target process
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 4476 wrote to memory of 2484	4476	RegSvcs.exe	REG.exe
PID 4476 wrote to memory of 2484	4476	RegSvcs.exe	REG.exe
PID 4476 wrote to memory of 2484	4476	RegSvcs.exe	REG.exe
PID 4476 wrote to memory of 5068	4476	RegSvcs.exe	netsh.exe
PID 4476 wrote to memory of 5068	4476	RegSvcs.exe	netsh.exe
PID 4476 wrote to memory of 5068	4476	RegSvcs.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\duk (3).exe
"C:\Users\Admin\AppData\Local\Temp\duk (3).exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:2484

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1576
3⤵
- Program crash
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4476 -ip 4476
1⤵
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1160-130-0x0000000000D90000-0x0000000000E1A000-memory.dmp

Filesize
552KB

Download
memory/1160-131-0x0000000008220000-0x00000000087C4000-memory.dmp

Filesize
5.6MB

Download
memory/1160-132-0x0000000007D10000-0x0000000007DA2000-memory.dmp

Filesize
584KB

Download
memory/1160-133-0x0000000007CA0000-0x0000000007CAA000-memory.dmp

Filesize
40KB

Download
memory/1160-134-0x000000000B2C0000-0x000000000B35C000-memory.dmp

Filesize
624KB

Download
memory/2484-138-0x0000000000000000-mapping.dmp

Download
memory/4476-135-0x0000000000000000-mapping.dmp

Download
memory/4476-136-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4476-137-0x00000000050F0000-0x0000000005156000-memory.dmp

Filesize
408KB

Download
memory/4476-139-0x0000000006060000-0x00000000060B0000-memory.dmp

Filesize
320KB

Download
memory/5068-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads