agenttesla | f78bda643bc02054908c347ed64d7244d6da34cd8798aadf6e01313c8803c5bb

General

Target

c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe
Size

350.1MB
MD5

e6ee01eefc03e56e385cb620990516d8
SHA1

f64b4f867b05ed4ac03bfa4c61cad6cd7f51a248
SHA256

c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331
SHA512

89006d7f81e8abe98d5bc309c5dade672410cb39c9c58ab83c8cbcb0952e9f4415a920080efd67d3733c424e19a74b15839d3e1be7d5d1604cfd70caed406909
SSDEEP

384:CoRiEv8uudnJ0fXHEkKLgvnnmLkgDd8yxNxDs7vOcPPhI+9wwwwwww7777jYYYz7:CaiKyoftWgvmIUdfT3cVl

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.mgcpakistan.com/
Port:
21
Username:
[email protected]
Password:
boygirl123456

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 6 IoCs

resource	yara_rule
behavioral5/memory/1852-71-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral5/memory/1852-73-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral5/memory/1852-72-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral5/memory/1852-74-0x00000000004374CE-mapping.dmp	family_agenttesla
behavioral5/memory/1852-76-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral5/memory/1852-78-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftSoftware = "\"C:\\Users\\Admin\\AppData\\Roaming\\Updates\\MicrosoftSoftware.exe\""	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1252 set thread context of 1852	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
516	powershell.exe
956	powershell.exe
1852	InstallUtil.exe
1852	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1852	InstallUtil.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 516	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	27
PID 1252 wrote to memory of 516	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	27
PID 1252 wrote to memory of 516	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	27
PID 1252 wrote to memory of 516	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	27
PID 1252 wrote to memory of 1436	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	29
PID 1252 wrote to memory of 1436	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	29
PID 1252 wrote to memory of 1436	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	29
PID 1252 wrote to memory of 1436	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	29
PID 1436 wrote to memory of 956	1436	cmd.exe	31
PID 1436 wrote to memory of 956	1436	cmd.exe	31
PID 1436 wrote to memory of 956	1436	cmd.exe	31
PID 1436 wrote to memory of 956	1436	cmd.exe	31
PID 1252 wrote to memory of 1852	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	32
PID 1252 wrote to memory of 1852	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	32
PID 1252 wrote to memory of 1852	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	32
PID 1252 wrote to memory of 1852	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	32
PID 1252 wrote to memory of 1852	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	32
PID 1252 wrote to memory of 1852	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	32
PID 1252 wrote to memory of 1852	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	32
PID 1252 wrote to memory of 1852	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	32
PID 1252 wrote to memory of 1852	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	32
PID 1252 wrote to memory of 1852	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	32
PID 1252 wrote to memory of 1852	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	32
PID 1252 wrote to memory of 1852	1252	c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe	32

C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe
"C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ec2465ea8b778efc1cfdbdcaad8deda2

SHA1
7eead64d9b54ef7d098f08679c43175602600765

SHA256
d3cfc262f0d708a297058d6f948b71c5c7623fd6d70e886d188c5ab1bdc7c14b

SHA512
f4a3ef178f44a61af0991a4a8a93bfa7219c6a6a4006acc4218d4f63fe78b18be0b84cb8b840a095f7bdd6bb8c68cdd7958aec5c2502154c20cd8644da656ea1

Download Submit
memory/516-60-0x000000006ED10000-0x000000006F2BB000-memory.dmp

Filesize
5.7MB

Download
memory/516-61-0x000000006ED10000-0x000000006F2BB000-memory.dmp

Filesize
5.7MB

Download
memory/516-62-0x000000006ED10000-0x000000006F2BB000-memory.dmp

Filesize
5.7MB

Download
memory/956-67-0x000000006ECF0000-0x000000006F29B000-memory.dmp

Filesize
5.7MB

Download
memory/1252-54-0x0000000001100000-0x0000000001122000-memory.dmp

Filesize
136KB

Download
memory/1252-57-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/1252-56-0x0000000005D10000-0x0000000005DC6000-memory.dmp

Filesize
728KB

Download
memory/1252-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1852-78-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1852-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1852-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1852-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1852-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1852-76-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1852-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing