agenttesla | 17d02a46d36d276311b26963af8c73b27838fe026b32dcef9021a96c85a5a9c9

General

Target

Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
Size

850KB
MD5

934bd53497aec99627a9b6c48cc966bb
SHA1

25a4d76f441e1d9e3eed218f5a1830d164b95d3f
SHA256

17d02a46d36d276311b26963af8c73b27838fe026b32dcef9021a96c85a5a9c9
SHA512

1b1004d528e0fdd8210676c9d874cd47cd8a30603b7ea52dcb0284af883b44eb71f987670f05d9fd4b240a0869d0fbd22f929f88e1c5f01478cf5de4a913d544
SSDEEP

24576:B7iVsTwW+pMpeNcFbHN5cBVMyXjimXvL:B7iVs7kD4bHNiXj

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.redseatransportuae.com
Port:
587
Username:
[email protected]
Password:
method10@10
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe

description pid process target process

PID 1980 set thread context of 2028 1980 Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1464 schtasks.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 1980 set thread context of 2028	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe

pid	process
1464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exepowershell.exepowershell.exe

pid	process
1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
1188	powershell.exe
588	powershell.exe
1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exeRegSvcs.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
Token: SeDebugPrivilege	2028	RegSvcs.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

2028 RegSvcs.exe

pid	process
2028	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe

description	pid	process	target process
PID 1980 wrote to memory of 588	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	powershell.exe
PID 1980 wrote to memory of 588	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	powershell.exe
PID 1980 wrote to memory of 588	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	powershell.exe
PID 1980 wrote to memory of 588	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	powershell.exe
PID 1980 wrote to memory of 1188	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	powershell.exe
PID 1980 wrote to memory of 1188	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	powershell.exe
PID 1980 wrote to memory of 1188	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	powershell.exe
PID 1980 wrote to memory of 1188	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	powershell.exe
PID 1980 wrote to memory of 1464	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	schtasks.exe
PID 1980 wrote to memory of 1464	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	schtasks.exe
PID 1980 wrote to memory of 1464	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	schtasks.exe
PID 1980 wrote to memory of 1464	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	schtasks.exe
PID 1980 wrote to memory of 2028	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 1980 wrote to memory of 2028	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 1980 wrote to memory of 2028	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 1980 wrote to memory of 2028	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 1980 wrote to memory of 2028	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 1980 wrote to memory of 2028	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 1980 wrote to memory of 2028	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 1980 wrote to memory of 2028	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 1980 wrote to memory of 2028	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 1980 wrote to memory of 2028	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 1980 wrote to memory of 2028	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 1980 wrote to memory of 2028	1980	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
"C:\Users\Admin\AppData\Local\Temp\Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:588
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nPPGTpcTsshCyU.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nPPGTpcTsshCyU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp43B5.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp43B5.tmp

Filesize
1KB

MD5
cfd19ed389a3d38c7e792859648aa6ef

SHA1
5306f39ade4a83452824b4cd8107a265dcdef150

SHA256
5a178e95d867b4f66bdec38e2879d9f754b1e61a147e21eca0a04900cea57cee

SHA512
fe2f41b46105bdbd0fae63de8b923bcf8c1c85422a573de738ca1b571a1d8d021ecc46cc289f355cc62e11baa492c0ae585dded4d1f8ed7c07141aa40d545eba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2GM5SJM2HY182FNFXCSQ.temp

Filesize
7KB

MD5
73e7c812276346512ac16d31f720f53d

SHA1
dc7a3aa7539a5a67b79ee5959cc406ad41443227

SHA256
079560777e02cb11c9f39a9ee758d70d7feda87d3913965a9bfd37453e0a195a

SHA512
730dd07fd1a7a3d085a25c49a5446f7b0144dc3a94c03a56de0f431aa8067666bacfe6085ebe84d39d17907f76311980069e1202df7a6dbafc49c38d9a1be13c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
73e7c812276346512ac16d31f720f53d

SHA1
dc7a3aa7539a5a67b79ee5959cc406ad41443227

SHA256
079560777e02cb11c9f39a9ee758d70d7feda87d3913965a9bfd37453e0a195a

SHA512
730dd07fd1a7a3d085a25c49a5446f7b0144dc3a94c03a56de0f431aa8067666bacfe6085ebe84d39d17907f76311980069e1202df7a6dbafc49c38d9a1be13c

Download Submit
memory/588-91-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/1188-92-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/1980-60-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1980-57-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/1980-54-0x0000000000E80000-0x0000000000F5A000-memory.dmp

Filesize
872KB

Download
memory/1980-62-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/1980-63-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1980-64-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/1980-65-0x0000000004F00000-0x0000000004F78000-memory.dmp

Filesize
480KB

Download
memory/1980-66-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1980-67-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1980-59-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/1980-58-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1980-61-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/1980-80-0x00000000002F0000-0x0000000000322000-memory.dmp

Filesize
200KB

Download
memory/1980-55-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1980-56-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2028-84-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2028-83-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2028-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2028-86-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2028-88-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2028-90-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2028-82-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2028-81-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads