agenttesla | 17d02a46d36d276311b26963af8c73b27838fe026b32dcef9021a96c85a5a9c9

Analysis

max time kernel
124s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2023 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
Size

850KB
MD5

934bd53497aec99627a9b6c48cc966bb
SHA1

25a4d76f441e1d9e3eed218f5a1830d164b95d3f
SHA256

17d02a46d36d276311b26963af8c73b27838fe026b32dcef9021a96c85a5a9c9
SHA512

1b1004d528e0fdd8210676c9d874cd47cd8a30603b7ea52dcb0284af883b44eb71f987670f05d9fd4b240a0869d0fbd22f929f88e1c5f01478cf5de4a913d544
SSDEEP

24576:B7iVsTwW+pMpeNcFbHN5cBVMyXjimXvL:B7iVs7kD4bHNiXj

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.redseatransportuae.com
Port:
587
Username:
[email protected]
Password:
method10@10

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.redseatransportuae.com
Port:
587
Username:
[email protected]
Password:
method10@10
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

41 api.ipify.org
40 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe

description pid process target process

PID 2912 set thread context of 2408 2912 Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1372 schtasks.exe

flow	ioc
41	api.ipify.org
40	api.ipify.org

description	pid	process	target process
PID 2912 set thread context of 2408	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe

pid	process
1372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exepowershell.exepowershell.exe

pid	process
2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
1264	powershell.exe
2024	powershell.exe
2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
2024	powershell.exe
1264	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2408	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

2408 RegSvcs.exe

pid	process
2408	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe

description	pid	process	target process
PID 2912 wrote to memory of 2024	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	powershell.exe
PID 2912 wrote to memory of 2024	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	powershell.exe
PID 2912 wrote to memory of 2024	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	powershell.exe
PID 2912 wrote to memory of 1264	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	powershell.exe
PID 2912 wrote to memory of 1264	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	powershell.exe
PID 2912 wrote to memory of 1264	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	powershell.exe
PID 2912 wrote to memory of 1372	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	schtasks.exe
PID 2912 wrote to memory of 1372	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	schtasks.exe
PID 2912 wrote to memory of 1372	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	schtasks.exe
PID 2912 wrote to memory of 2408	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 2912 wrote to memory of 2408	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 2912 wrote to memory of 2408	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 2912 wrote to memory of 2408	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 2912 wrote to memory of 2408	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 2912 wrote to memory of 2408	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 2912 wrote to memory of 2408	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe
PID 2912 wrote to memory of 2408	2912	Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe
"C:\Users\Admin\AppData\Local\Temp\Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Garanti Bbva Havale tavsiyesi 30032023 TL8985500800058.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nPPGTpcTsshCyU.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nPPGTpcTsshCyU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8DE8.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:2408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
af8ea2b508be18c83a975cccb30b049a

SHA1
2bfed4a4ddc00fce03e2b633b6ffbb28bf7f521b

SHA256
8f0bc34849b014e6917b218367339b5ea23765d691d9947e12ef8f5ce90083db

SHA512
aae54e3ea1930fd3a9447a9f8a417ef4527489f9f6962be816901c39d5ed38820debe65bc6d770d9c6820bcc3cae7780d4f5596ea651d204e91e414811b1e60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hdgvt12p.phq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DE8.tmp

Filesize
1KB

MD5
a48a5f46449bee7138604d0da8188a9e

SHA1
24f97b72c5c0e9b37467b7a50536fed669ef2067

SHA256
9e2f53fcd47bf961d00dedd256c1fda1b0a831cff69f80f2f812a86603929ea4

SHA512
5b32506f28f129de88913e4a28dc9d1d0a6c0c268274fc3d0c3a8bf651f818feac4dee2ad3e5d6c73ae1d35eae4ea583d1d48148050cdece3275b52240e58645

Download Submit
memory/1264-206-0x000000007FC60000-0x000000007FC70000-memory.dmp

Filesize
64KB

Download
memory/1264-155-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/1264-179-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download
memory/1264-212-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/1264-207-0x0000000007DD0000-0x000000000844A000-memory.dmp

Filesize
6.5MB

Download
memory/1264-204-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1264-183-0x00000000756D0000-0x000000007571C000-memory.dmp

Filesize
304KB

Download
memory/1264-157-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1264-164-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2024-208-0x0000000007500000-0x000000000751A000-memory.dmp

Filesize
104KB

Download
memory/2024-203-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2024-152-0x0000000005130000-0x0000000005152000-memory.dmp

Filesize
136KB

Download
memory/2024-154-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/2024-150-0x0000000005300000-0x0000000005928000-memory.dmp

Filesize
6.2MB

Download
memory/2024-156-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2024-181-0x00000000071D0000-0x0000000007202000-memory.dmp

Filesize
200KB

Download
memory/2024-163-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2024-213-0x0000000007820000-0x0000000007828000-memory.dmp

Filesize
32KB

Download
memory/2024-149-0x0000000004C90000-0x0000000004CC6000-memory.dmp

Filesize
216KB

Download
memory/2024-211-0x0000000007730000-0x000000000773E000-memory.dmp

Filesize
56KB

Download
memory/2024-210-0x0000000007780000-0x0000000007816000-memory.dmp

Filesize
600KB

Download
memory/2024-209-0x0000000007570000-0x000000000757A000-memory.dmp

Filesize
40KB

Download
memory/2024-205-0x000000007F810000-0x000000007F820000-memory.dmp

Filesize
64KB

Download
memory/2024-193-0x00000000067C0000-0x00000000067DE000-memory.dmp

Filesize
120KB

Download
memory/2024-182-0x00000000756D0000-0x000000007571C000-memory.dmp

Filesize
304KB

Download
memory/2408-214-0x0000000007200000-0x000000000720A000-memory.dmp

Filesize
40KB

Download
memory/2408-228-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/2408-153-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2408-180-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/2408-221-0x0000000007430000-0x00000000075F2000-memory.dmp

Filesize
1.8MB

Download
memory/2408-220-0x0000000007210000-0x0000000007260000-memory.dmp

Filesize
320KB

Download
memory/2912-142-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/2912-140-0x0000000006070000-0x0000000006216000-memory.dmp

Filesize
1.6MB

Download
memory/2912-138-0x0000000005500000-0x0000000005538000-memory.dmp

Filesize
224KB

Download
memory/2912-137-0x0000000005210000-0x0000000005218000-memory.dmp

Filesize
32KB

Download
memory/2912-144-0x0000000009410000-0x00000000094AC000-memory.dmp

Filesize
624KB

Download
memory/2912-136-0x0000000005260000-0x00000000052F2000-memory.dmp

Filesize
584KB

Download
memory/2912-143-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/2912-135-0x0000000005770000-0x0000000005D14000-memory.dmp

Filesize
5.6MB

Download
memory/2912-134-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/2912-141-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/2912-139-0x0000000005220000-0x000000000522E000-memory.dmp

Filesize
56KB

Download
memory/2912-133-0x00000000005F0000-0x00000000006CA000-memory.dmp

Filesize
872KB

Download