agenttesla | 446e23b2ec4a53c537ae29ff5964958702510c8b46c72b68d9141f238a5fe691

General

Target

FİYAT İSTEĞİ82032023.exe
Size

500KB
MD5

01f1e05c0db18b1197abe20d9d7fe39d
SHA1

36ff0a02c57f1150c6dffa5d620cdc357181604d
SHA256

446e23b2ec4a53c537ae29ff5964958702510c8b46c72b68d9141f238a5fe691
SHA512

a013168eb1173a619a8ff93292878faa60f8635ff51d23f0e4aaadb61e4dce46186255aef35932f1003b570d6868f0e5bf4b21fe9b4f257dff870cb449053913
SSDEEP

12288:Oowkeve7u1hSFHAHnQTRrZYO1HLLY5dXmktgCOfMUd+d:OowdvcunegHQT7YO1HL0dXmTCv

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5409839916:AAEYUYZy0IhJQAm4VXi620si4okGW8FDL2w/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

FİYAT İSTEĞİ82032023.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	FİYAT İSTEĞİ82032023.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

FİYAT İSTEĞİ82032023.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	FİYAT İSTEĞİ82032023.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FİYAT İSTEĞİ82032023.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FİYAT İSTEĞİ82032023.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FİYAT İSTEĞİ82032023.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1148 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

936 cmd.exe

pid	process
1148	svchost.exe

pid	process
936	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FİYAT İSTEĞİ82032023.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	FİYAT İSTEĞİ82032023.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

FİYAT İSTEĞİ82032023.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	FİYAT İSTEĞİ82032023.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	FİYAT İSTEĞİ82032023.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1148 set thread context of 1992 1148 svchost.exe Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1900 1992 WerFault.exe Setup.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1512 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1488 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

FİYAT İSTEĞİ82032023.exe

pid process

904 FİYAT İSTEĞİ82032023.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

FİYAT İSTEĞİ82032023.exesvchost.exe

description pid process

Token: SeDebugPrivilege 904 FİYAT İSTEĞİ82032023.exe
Token: SeDebugPrivilege 1148 svchost.exe

description	pid	process	target process
PID 1148 set thread context of 1992	1148	svchost.exe	Setup.exe

pid	pid_target	process	target process
1900	1992	WerFault.exe	Setup.exe

pid	process
1512	schtasks.exe

pid	process
1488	timeout.exe

pid	process
904	FİYAT İSTEĞİ82032023.exe

description	pid	process
Token: SeDebugPrivilege	904	FİYAT İSTEĞİ82032023.exe
Token: SeDebugPrivilege	1148	svchost.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

FİYAT İSTEĞİ82032023.execmd.execmd.exesvchost.exeSetup.exe

description	pid	process	target process
PID 904 wrote to memory of 1760	904	FİYAT İSTEĞİ82032023.exe	cmd.exe
PID 904 wrote to memory of 1760	904	FİYAT İSTEĞİ82032023.exe	cmd.exe
PID 904 wrote to memory of 1760	904	FİYAT İSTEĞİ82032023.exe	cmd.exe
PID 904 wrote to memory of 936	904	FİYAT İSTEĞİ82032023.exe	cmd.exe
PID 904 wrote to memory of 936	904	FİYAT İSTEĞİ82032023.exe	cmd.exe
PID 904 wrote to memory of 936	904	FİYAT İSTEĞİ82032023.exe	cmd.exe
PID 1760 wrote to memory of 1512	1760	cmd.exe	schtasks.exe
PID 1760 wrote to memory of 1512	1760	cmd.exe	schtasks.exe
PID 1760 wrote to memory of 1512	1760	cmd.exe	schtasks.exe
PID 936 wrote to memory of 1488	936	cmd.exe	timeout.exe
PID 936 wrote to memory of 1488	936	cmd.exe	timeout.exe
PID 936 wrote to memory of 1488	936	cmd.exe	timeout.exe
PID 936 wrote to memory of 1148	936	cmd.exe	svchost.exe
PID 936 wrote to memory of 1148	936	cmd.exe	svchost.exe
PID 936 wrote to memory of 1148	936	cmd.exe	svchost.exe
PID 1148 wrote to memory of 1992	1148	svchost.exe	Setup.exe
PID 1148 wrote to memory of 1992	1148	svchost.exe	Setup.exe
PID 1148 wrote to memory of 1992	1148	svchost.exe	Setup.exe
PID 1148 wrote to memory of 1992	1148	svchost.exe	Setup.exe
PID 1148 wrote to memory of 1992	1148	svchost.exe	Setup.exe
PID 1148 wrote to memory of 1992	1148	svchost.exe	Setup.exe
PID 1148 wrote to memory of 1992	1148	svchost.exe	Setup.exe
PID 1148 wrote to memory of 1992	1148	svchost.exe	Setup.exe
PID 1148 wrote to memory of 1992	1148	svchost.exe	Setup.exe
PID 1148 wrote to memory of 1992	1148	svchost.exe	Setup.exe
PID 1148 wrote to memory of 1992	1148	svchost.exe	Setup.exe
PID 1148 wrote to memory of 1992	1148	svchost.exe	Setup.exe
PID 1992 wrote to memory of 1900	1992	Setup.exe	WerFault.exe
PID 1992 wrote to memory of 1900	1992	Setup.exe	WerFault.exe
PID 1992 wrote to memory of 1900	1992	Setup.exe	WerFault.exe
PID 1992 wrote to memory of 1900	1992	Setup.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FİYAT İSTEĞİ82032023.exe
"C:\Users\Admin\AppData\Local\Temp\FİYAT İSTEĞİ82032023.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1512
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4931.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1488
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 304
        5⤵
        Program crash
        
        PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4931.tmp.bat

Filesize
151B

MD5
067c2e0dc9fba6124883071de0d59b4b

SHA1
179fc3005ba24fb3cca167b14c5b0bb558340796

SHA256
41730d22f20aa04cd9f34df06056ec1fd7245c26ccd8501bc43745ef1634d19f

SHA512
f59f4a98bd2f27f9ab69b9117bfa5652066ee3d6715f01aaf2be82921e829cb3e389555b17b1b535fb70bddc81574c4f7484eb1f2290c52dc56d6d98ff3cbd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4931.tmp.bat

Filesize
151B

MD5
067c2e0dc9fba6124883071de0d59b4b

SHA1
179fc3005ba24fb3cca167b14c5b0bb558340796

SHA256
41730d22f20aa04cd9f34df06056ec1fd7245c26ccd8501bc43745ef1634d19f

SHA512
f59f4a98bd2f27f9ab69b9117bfa5652066ee3d6715f01aaf2be82921e829cb3e389555b17b1b535fb70bddc81574c4f7484eb1f2290c52dc56d6d98ff3cbd57

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
500KB

MD5
01f1e05c0db18b1197abe20d9d7fe39d

SHA1
36ff0a02c57f1150c6dffa5d620cdc357181604d

SHA256
446e23b2ec4a53c537ae29ff5964958702510c8b46c72b68d9141f238a5fe691

SHA512
a013168eb1173a619a8ff93292878faa60f8635ff51d23f0e4aaadb61e4dce46186255aef35932f1003b570d6868f0e5bf4b21fe9b4f257dff870cb449053913

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
500KB

MD5
01f1e05c0db18b1197abe20d9d7fe39d

SHA1
36ff0a02c57f1150c6dffa5d620cdc357181604d

SHA256
446e23b2ec4a53c537ae29ff5964958702510c8b46c72b68d9141f238a5fe691

SHA512
a013168eb1173a619a8ff93292878faa60f8635ff51d23f0e4aaadb61e4dce46186255aef35932f1003b570d6868f0e5bf4b21fe9b4f257dff870cb449053913

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
500KB

MD5
01f1e05c0db18b1197abe20d9d7fe39d

SHA1
36ff0a02c57f1150c6dffa5d620cdc357181604d

SHA256
446e23b2ec4a53c537ae29ff5964958702510c8b46c72b68d9141f238a5fe691

SHA512
a013168eb1173a619a8ff93292878faa60f8635ff51d23f0e4aaadb61e4dce46186255aef35932f1003b570d6868f0e5bf4b21fe9b4f257dff870cb449053913

Download Submit
memory/904-54-0x0000000000070000-0x00000000000F2000-memory.dmp

Filesize
520KB

Download
memory/904-55-0x00000000005A0000-0x000000000061A000-memory.dmp

Filesize
488KB

Download
memory/904-56-0x000000001B300000-0x000000001B380000-memory.dmp

Filesize
512KB

Download
memory/1148-70-0x00000000008A0000-0x0000000000922000-memory.dmp

Filesize
520KB

Download
memory/1148-71-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/1992-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads