agenttesla | 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b

General

Target

5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe
Size

645KB
MD5

c05ec2b49ef0eca110f46b3cd6c6bc9c
SHA1

b576618b370fcdd50686873430ae672aeeec981c
SHA256

5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b
SHA512

ddb547298322ab7dbca8265f8f376467e12327300ff6cb9c666910dfc8abee690c3f4b428aeffa1a3ad9f209fe52119e482d65d93d9ba377e8f4bb5980dcb61a
SSDEEP

12288:b+8XG5SFEyclCv8epb+k/35QM9pn3yK/ASiTZTES9+aTyDQTyx:b+8BFslS8ep4M9Z3yK/A1TZASwaTkQTu

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.appareljonebd.com
Port:
587
Username:
[email protected]
Password:
#Admin@1122
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Loads dropped DLL 1 IoCs

Processes:

5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe

pid process

2412 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 api.ipify.org
11 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msbuild.exe

pid process

2780 msbuild.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exemsbuild.exe

pid process

2412 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe
2780 msbuild.exe

pid	process
2412	5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe

flow	ioc
10	api.ipify.org
11	api.ipify.org

pid	process
2780	msbuild.exe

pid	process
2412	5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe
2780	msbuild.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe

description	pid	process	target process
PID 2412 set thread context of 2780	2412	5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe	msbuild.exe

Drops file in Windows directory 4 IoCs

Processes:

5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe

description	ioc	process
File created	C:\Windows\chondriome\apotekerdisciplenes.lnk	5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe
File opened for modification	C:\Windows\Kogekunsters227\arnement.ini	5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe
File opened for modification	C:\Windows\Fonts\buskvksterne.ini	5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe
File created	C:\Windows\Fonts\nabogrunde\sedimentarily.lnk	5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msbuild.exe

pid process

2780 msbuild.exe
2780 msbuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe

pid process

2412 5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

msbuild.exe

description pid process

Token: SeDebugPrivilege 2780 msbuild.exe

pid	process
2780	msbuild.exe
2780	msbuild.exe

pid	process
2412	5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe

description	pid	process
Token: SeDebugPrivilege	2780	msbuild.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe

description	pid	process	target process
PID 2412 wrote to memory of 2780	2412	5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe	msbuild.exe
PID 2412 wrote to memory of 2780	2412	5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe	msbuild.exe
PID 2412 wrote to memory of 2780	2412	5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe	msbuild.exe
PID 2412 wrote to memory of 2780	2412	5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe	msbuild.exe
PID 2412 wrote to memory of 2780	2412	5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe	msbuild.exe
PID 2412 wrote to memory of 2780	2412	5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe	msbuild.exe

C:\Users\Admin\AppData\Local\Temp\5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe
"C:\Users\Admin\AppData\Local\Temp\5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Users\Admin\AppData\Local\Temp\5b74f7218a99d18bb1961ccab95e2d8c0f07bc62499b32f8962587b953b7c32b.exe"
2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBCD1.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\divisa.ini

Filesize
37B

MD5
6afbceba786a45c12c432275ca8fa2fd

SHA1
a0ba442f9661309d3cd11da7783ee6b2ff8926cd

SHA256
c48e9a91c089b7e2bdbdad49e8841ee05d4051bffe2ca304982195ea26b96eb8

SHA512
449aaf84e4f5eb18c06ce20bf0a3fadcd59428388cc02f60ca02d268dae61869044b6e65515ec3c3f7a71bdcbc1a689d0897de167f148a31d7d0bd0431c45550

Download Submit
C:\Users\Admin\Docimasy.ini

Filesize
35B

MD5
07aa3c5f11b10fbd989d1cd144d9f5ec

SHA1
1cb0349287f9171642f1dfca482697aebd172cca

SHA256
2e9c5f3febbb36f97f3e5da2edc82d49e020b4b36b38faafd121326c8de8e710

SHA512
a854cde4122d050363cfcb167c72aa367018835f497b13b4e73536910bcb38bff5ba4261f4075bf96c41c065718fb15d7228c3b59f12c81fb3ea09932f4960b1

Download Submit
\Users\Admin\AppData\Local\Temp\nsd936B.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
memory/2412-61-0x0000000077640000-0x00000000777E9000-memory.dmp

Filesize
1.7MB

Download
memory/2412-62-0x0000000077830000-0x0000000077906000-memory.dmp

Filesize
856KB

Download
memory/2412-63-0x0000000074E50000-0x0000000074E57000-memory.dmp

Filesize
28KB

Download
memory/2780-92-0x0000000072BC0000-0x0000000073C22000-memory.dmp

Filesize
16.4MB

Download
memory/2780-64-0x0000000077640000-0x00000000777E9000-memory.dmp

Filesize
1.7MB

Download
memory/2780-123-0x0000000072BC0000-0x0000000073C22000-memory.dmp

Filesize
16.4MB

Download
memory/2780-124-0x0000000000230000-0x00000000040BE000-memory.dmp

Filesize
62.6MB

Download
memory/2780-125-0x00000000724D0000-0x0000000072BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-126-0x0000000072BC0000-0x0000000072C02000-memory.dmp

Filesize
264KB

Download
memory/2780-127-0x00000000353B0000-0x00000000353F0000-memory.dmp

Filesize
256KB

Download
memory/2780-130-0x00000000724D0000-0x0000000072BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-132-0x00000000353B0000-0x00000000353F0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads