agenttesla | 1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3

General

Target

NEW ORDER--GO23B005--DEC 2023.exe
Size

623KB
MD5

8eab5e4d034fde42eb31add0cb923a97
SHA1

ac9f5a051227302049aa5136a26f30a3707db55c
SHA256

1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3
SHA512

54f6f28e0ad2ba4cf968fb766d000f97afb851a6886649c7968a39a3e09eff5974455164ba0e43963a1bc5a416b1fabfd6780c55cd794011ea474bd72c2accdb
SSDEEP

12288:14uUdaP5mn0llWSQSSKJOzIT5HiSRJ56/:ydaP5mn0llNQN2OzCti2z

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.asiaparadisehotel.com
Port:
587
Username:
[email protected]
Password:
^b2ycDldex$@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEW ORDER--GO23B005--DEC 2023.exeRegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Szlaz = "C:\\Users\\Admin\\AppData\\Roaming\\Szlaz.exe"	NEW ORDER--GO23B005--DEC 2023.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TlKsFB = "C:\\Users\\Admin\\AppData\\Roaming\\TlKsFB\\TlKsFB.exe"	RegAsm.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 api.ipify.org
34 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

NEW ORDER--GO23B005--DEC 2023.exe

description pid process target process

PID 3340 set thread context of 3936 3340 NEW ORDER--GO23B005--DEC 2023.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

660 3936 WerFault.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegAsm.exe

pid process

3936 RegAsm.exe
3936 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

NEW ORDER--GO23B005--DEC 2023.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 3340 NEW ORDER--GO23B005--DEC 2023.exe
Token: SeDebugPrivilege 3936 RegAsm.exe

flow	ioc
33	api.ipify.org
34	api.ipify.org

description	pid	process	target process
PID 3340 set thread context of 3936	3340	NEW ORDER--GO23B005--DEC 2023.exe	RegAsm.exe

pid	pid_target	process	target process
660	3936	WerFault.exe	RegAsm.exe

pid	process
3936	RegAsm.exe
3936	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3340	NEW ORDER--GO23B005--DEC 2023.exe
Token: SeDebugPrivilege	3936	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

NEW ORDER--GO23B005--DEC 2023.exe

description	pid	process	target process
PID 3340 wrote to memory of 3936	3340	NEW ORDER--GO23B005--DEC 2023.exe	RegAsm.exe
PID 3340 wrote to memory of 3936	3340	NEW ORDER--GO23B005--DEC 2023.exe	RegAsm.exe
PID 3340 wrote to memory of 3936	3340	NEW ORDER--GO23B005--DEC 2023.exe	RegAsm.exe
PID 3340 wrote to memory of 3936	3340	NEW ORDER--GO23B005--DEC 2023.exe	RegAsm.exe
PID 3340 wrote to memory of 3936	3340	NEW ORDER--GO23B005--DEC 2023.exe	RegAsm.exe
PID 3340 wrote to memory of 3936	3340	NEW ORDER--GO23B005--DEC 2023.exe	RegAsm.exe
PID 3340 wrote to memory of 3936	3340	NEW ORDER--GO23B005--DEC 2023.exe	RegAsm.exe
PID 3340 wrote to memory of 3936	3340	NEW ORDER--GO23B005--DEC 2023.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\NEW ORDER--GO23B005--DEC 2023.exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER--GO23B005--DEC 2023.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 2160
3⤵
- Program crash
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3936 -ip 3936
1⤵
PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3340-6-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/3340-8-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/3340-2-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3340-3-0x0000000004CB0000-0x0000000004D10000-memory.dmp

Filesize
384KB

Download
memory/3340-4-0x0000000004DC0000-0x0000000004E18000-memory.dmp

Filesize
352KB

Download
memory/3340-5-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/3340-1-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3340-7-0x0000000004EA0000-0x0000000004EEC000-memory.dmp

Filesize
304KB

Download
memory/3340-0-0x00000000002F0000-0x0000000000392000-memory.dmp

Filesize
648KB

Download
memory/3340-13-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3936-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3936-12-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3936-14-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/3936-15-0x0000000005040000-0x00000000050A6000-memory.dmp

Filesize
408KB

Download
memory/3936-17-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads