agenttesla | fab7bef714427ef5922e986e9c723bf1e45bce7cb647a42c58e23bd4b3216421

General

Target

Nuevo pedido 7887979-800898.bat.exe
Size

6KB
MD5

206115e1488682cfc64176f95462e76b
SHA1

a237be7d066a71bd063956c11f2f0d5f476e823a
SHA256

fab7bef714427ef5922e986e9c723bf1e45bce7cb647a42c58e23bd4b3216421
SHA512

790745d708e18fcfa45135088745c49094f42f8bef54bfd9954c8752599de1ce02f6ea118724ad5a3921d1d405ebaa32201b7495048093d4903707381c8fb375
SSDEEP

96:WAwa5N9p+ZNLDApFY1jAdhkxgqEQGnQUzNt:WAwa5grL+OEyxgfFn/

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.mgcpakistan.com/
Port:
21
Username:
[email protected]
Password:
boygirl123456

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/2204-147-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Nuevo pedido 7887979-800898.bat.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Nuevo pedido 7887979-800898.bat.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Nuevo pedido 7887979-800898.bat.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Nuevo pedido 7887979-800898.bat.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Unurkb = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zgcjjewavix\\Unurkb.exe\""	Nuevo pedido 7887979-800898.bat.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4972 set thread context of 2204	4972	Nuevo pedido 7887979-800898.bat.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2800	ipconfig.exe
3500	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5016	powershell.exe
5016	powershell.exe
2204	Nuevo pedido 7887979-800898.bat.exe
2204	Nuevo pedido 7887979-800898.bat.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	Nuevo pedido 7887979-800898.bat.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	2204	Nuevo pedido 7887979-800898.bat.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4240	4972	Nuevo pedido 7887979-800898.bat.exe	81
PID 4972 wrote to memory of 4240	4972	Nuevo pedido 7887979-800898.bat.exe	81
PID 4972 wrote to memory of 4240	4972	Nuevo pedido 7887979-800898.bat.exe	81
PID 4240 wrote to memory of 2800	4240	cmd.exe	83
PID 4240 wrote to memory of 2800	4240	cmd.exe	83
PID 4240 wrote to memory of 2800	4240	cmd.exe	83
PID 4972 wrote to memory of 5016	4972	Nuevo pedido 7887979-800898.bat.exe	84
PID 4972 wrote to memory of 5016	4972	Nuevo pedido 7887979-800898.bat.exe	84
PID 4972 wrote to memory of 5016	4972	Nuevo pedido 7887979-800898.bat.exe	84
PID 4972 wrote to memory of 4124	4972	Nuevo pedido 7887979-800898.bat.exe	93
PID 4972 wrote to memory of 4124	4972	Nuevo pedido 7887979-800898.bat.exe	93
PID 4972 wrote to memory of 4124	4972	Nuevo pedido 7887979-800898.bat.exe	93
PID 4124 wrote to memory of 3500	4124	cmd.exe	95
PID 4124 wrote to memory of 3500	4124	cmd.exe	95
PID 4124 wrote to memory of 3500	4124	cmd.exe	95
PID 4972 wrote to memory of 2204	4972	Nuevo pedido 7887979-800898.bat.exe	96
PID 4972 wrote to memory of 2204	4972	Nuevo pedido 7887979-800898.bat.exe	96
PID 4972 wrote to memory of 2204	4972	Nuevo pedido 7887979-800898.bat.exe	96
PID 4972 wrote to memory of 2204	4972	Nuevo pedido 7887979-800898.bat.exe	96
PID 4972 wrote to memory of 2204	4972	Nuevo pedido 7887979-800898.bat.exe	96
PID 4972 wrote to memory of 2204	4972	Nuevo pedido 7887979-800898.bat.exe	96
PID 4972 wrote to memory of 2204	4972	Nuevo pedido 7887979-800898.bat.exe	96
PID 4972 wrote to memory of 2204	4972	Nuevo pedido 7887979-800898.bat.exe	96

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Nuevo pedido 7887979-800898.bat.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Nuevo pedido 7887979-800898.bat.exe

C:\Users\Admin\AppData\Local\Temp\Nuevo pedido 7887979-800898.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Nuevo pedido 7887979-800898.bat.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:2800
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:3500
- C:\Users\Admin\AppData\Local\Temp\Nuevo pedido 7887979-800898.bat.exe
  "C:\Users\Admin\AppData\Local\Temp\Nuevo pedido 7887979-800898.bat.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nuevo pedido 7887979-800898.bat.exe.log

Filesize
1KB

MD5
3a9188331a78f1dbce606db64b841fcb

SHA1
8e2c99b7c477d06591a856a4ea3e1e214719eee8

SHA256
db4137e258a0f6159fda559a5f6dd2704be0582c3f0586f65040c7ad1eb68451

SHA512
d1a994610a045d89d5d306866c24ae56bf16555414b8f63f632552568e67b5586f26d5a17a1f0a55ada376730298e6d856e9161828d4eae9decfa4e015e0e90a

Download Submit
memory/2204-149-0x0000000005CC0000-0x0000000006264000-memory.dmp

Filesize
5.6MB

Download
memory/2204-153-0x0000000006B70000-0x0000000006B7A000-memory.dmp

Filesize
40KB

Download
memory/2204-152-0x0000000006AF0000-0x0000000006B40000-memory.dmp

Filesize
320KB

Download
memory/2204-151-0x0000000005960000-0x00000000059FC000-memory.dmp

Filesize
624KB

Download
memory/2204-150-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/2204-147-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4972-132-0x0000000000780000-0x0000000000788000-memory.dmp

Filesize
32KB

Download
memory/4972-133-0x0000000006940000-0x0000000006962000-memory.dmp

Filesize
136KB

Download
memory/5016-137-0x0000000002880000-0x00000000028B6000-memory.dmp

Filesize
216KB

Download
memory/5016-143-0x0000000006670000-0x000000000668A000-memory.dmp

Filesize
104KB

Download
memory/5016-142-0x00000000077D0000-0x0000000007E4A000-memory.dmp

Filesize
6.5MB

Download
memory/5016-141-0x0000000006180000-0x000000000619E000-memory.dmp

Filesize
120KB

Download
memory/5016-140-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/5016-139-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/5016-138-0x0000000005280000-0x00000000058A8000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads