agenttesla | 365e28eadb6dc0dadb3668971537a4f14344caf1573f9e88eac921a944c5bc56

General

Target

365e28eadb6dc0dadb3668971537a4f14344caf1573f9e88eac921a944c5bc56.exe
Size

940KB
MD5

432856de9bad043ad444a66ddc630089
SHA1

c24ce55a25f3b369a85f507211219f0216ab3a16
SHA256

365e28eadb6dc0dadb3668971537a4f14344caf1573f9e88eac921a944c5bc56
SHA512

67b0ff32ad6127c4b06eeb8d35b0699cab60dcafbedbf0ede185fe0badedce05d3a18d3d4d37eb6c0612a600ff571382ce4e166792b4bec83e62f961da2cd007
SSDEEP

24576:aTbBv5rUT1Cw3KW7OBCBkjUZfpaOKUSdQYvD5:sB/tsBkchKzPv9

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mymobileorder.com
Port:
587
Username:
[email protected]
Password:
Grace@2023@121
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 1 IoCs

pid	Process
3412	ggxckk.msc

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Windows\CurrentVersion\Run\YseEYgM = "C:\\Users\\Admin\\AppData\\Roaming\\YseEYgM\\YseEYgM.exe"	RegSvcs.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3412 set thread context of 3332	3412	ggxckk.msc	79

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2680	3332	WerFault.exe	79

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5040	ipconfig.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	365e28eadb6dc0dadb3668971537a4f14344caf1573f9e88eac921a944c5bc56.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3412	ggxckk.msc
3412	ggxckk.msc
3412	ggxckk.msc
3412	ggxckk.msc
3412	ggxckk.msc
3412	ggxckk.msc
3412	ggxckk.msc
3412	ggxckk.msc
3412	ggxckk.msc
3412	ggxckk.msc
3412	ggxckk.msc
3412	ggxckk.msc
3332	RegSvcs.exe
3332	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3332	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1532	2944	365e28eadb6dc0dadb3668971537a4f14344caf1573f9e88eac921a944c5bc56.exe	71
PID 2944 wrote to memory of 1532	2944	365e28eadb6dc0dadb3668971537a4f14344caf1573f9e88eac921a944c5bc56.exe	71
PID 2944 wrote to memory of 1532	2944	365e28eadb6dc0dadb3668971537a4f14344caf1573f9e88eac921a944c5bc56.exe	71
PID 1532 wrote to memory of 4488	1532	WScript.exe	72
PID 1532 wrote to memory of 4488	1532	WScript.exe	72
PID 1532 wrote to memory of 4488	1532	WScript.exe	72
PID 4488 wrote to memory of 3412	4488	cmd.exe	74
PID 4488 wrote to memory of 3412	4488	cmd.exe	74
PID 4488 wrote to memory of 3412	4488	cmd.exe	74
PID 1532 wrote to memory of 428	1532	WScript.exe	76
PID 1532 wrote to memory of 428	1532	WScript.exe	76
PID 1532 wrote to memory of 428	1532	WScript.exe	76
PID 428 wrote to memory of 5040	428	cmd.exe	78
PID 428 wrote to memory of 5040	428	cmd.exe	78
PID 428 wrote to memory of 5040	428	cmd.exe	78
PID 3412 wrote to memory of 3332	3412	ggxckk.msc	79
PID 3412 wrote to memory of 3332	3412	ggxckk.msc	79
PID 3412 wrote to memory of 3332	3412	ggxckk.msc	79
PID 3412 wrote to memory of 3332	3412	ggxckk.msc	79
PID 3412 wrote to memory of 3332	3412	ggxckk.msc	79

C:\Users\Admin\AppData\Local\Temp\365e28eadb6dc0dadb3668971537a4f14344caf1573f9e88eac921a944c5bc56.exe
"C:\Users\Admin\AppData\Local\Temp\365e28eadb6dc0dadb3668971537a4f14344caf1573f9e88eac921a944c5bc56.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\qgu-v.vbe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ggxckk.msc kjpdud.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ggxckk.msc
      ggxckk.msc kjpdud.txt
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1976
        6⤵
        Program crash
        
        PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:5040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\dhvetrn.cab

Filesize
394KB

MD5
7c92bacaef1c1f6eab5bec00f95c1f69

SHA1
aacd082d16ae37b7157f25bf06f92ccb949269a8

SHA256
a2e8bb219850a67a4cf543007f2e355a46d36d0c8f2c36fdfb181f564edb155b

SHA512
d48d57b3ac67d16aceab7023df4da8350a4d0da5cfbbbd07228e128ae7c7fffd0f28b8cf7112a4ae79ef81d04f1cfd80a9f4fa180595bfd381d3b7d73ce058dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ggxckk.msc

Filesize
995KB

MD5
9ac40fcb10cede7c33fceea101561bf0

SHA1
699efa9ceea58c60b7ab6d39a56099dc0668d558

SHA256
1175f87212b8ec9118288a73e1106d4aaebda64976343ea1eedf0ab2ba81c705

SHA512
c611134ffd7a4b03794ae252bbafa4eec142b20483296ced6fbfb6e566880618391a25e444754cadb6858cdb32ddb4b6b49fa5b37589c6a5127927f9da918750

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ggxckk.msc

Filesize
995KB

MD5
9ac40fcb10cede7c33fceea101561bf0

SHA1
699efa9ceea58c60b7ab6d39a56099dc0668d558

SHA256
1175f87212b8ec9118288a73e1106d4aaebda64976343ea1eedf0ab2ba81c705

SHA512
c611134ffd7a4b03794ae252bbafa4eec142b20483296ced6fbfb6e566880618391a25e444754cadb6858cdb32ddb4b6b49fa5b37589c6a5127927f9da918750

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kjpdud.txt

Filesize
9.5MB

MD5
1ffe5b30a1d8b2b321bba993cfc6bf80

SHA1
3238d541244b537951823c98af5ea203a47f8222

SHA256
886938101a579427e84adf223c40f6c70bac27b3f45c1aef442a58371fabd6bb

SHA512
17cb988959f508e06225c5d8e2c2ab2a9b532582010be675cf7619fef4e1b971c4afbb45bf9853955b23ff2d15bc093ec5c737828ccd0bbd26e421efabaade20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qgu-v.vbe

Filesize
68KB

MD5
9aa9e05e3b8aa7c2605b552da2d0c3f8

SHA1
6da31802b9cf5cd173601ea4066b2e90d7032cfa

SHA256
0e12b7640a548d553c986ae398e7ac42f83a350a7ae491b89c6ad039193965c0

SHA512
328c6ef63a124753db1a5ae44aa2f0e4c16600e05933ec5e7e6a4e27726214c21d55be5c2a52b5c0b09790197010b4bce092c0d4a17768f28574345223f71b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vvpgcerer.icm

Filesize
38KB

MD5
fa0c7b8e11a6b417430da9a95d0523d1

SHA1
fda6a5d0248499560163a75331b9ae2a96f47e9e

SHA256
5cc8ff2f1c7077868d0b1f60207122595859cf30b25bbf83eccdaa86b7212860

SHA512
4aa7542fd4159d1d42c29bf0c6f02f8a2548933d9b5e44a276f7ffb492dc4212f1e7bce3e08cd3a81154bb5e34d19cc07558a9076ddbacfc38edb6648c830b97

Download Submit
memory/3332-56-0x0000000000F00000-0x0000000001598000-memory.dmp

Filesize
6.6MB

Download
memory/3332-57-0x0000000000F00000-0x0000000000F44000-memory.dmp

Filesize
272KB

Download
memory/3332-58-0x0000000071870000-0x0000000071F5E000-memory.dmp

Filesize
6.9MB

Download
memory/3332-59-0x0000000005E30000-0x000000000632E000-memory.dmp

Filesize
5.0MB

Download
memory/3332-60-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download
memory/3332-61-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/3332-80-0x0000000071870000-0x0000000071F5E000-memory.dmp

Filesize
6.9MB

Download
memory/3332-81-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads