agenttesla | 25eb6eaa92b7ecfccf496d1259b64fa876f63ea1b0ac4e6b69694ad4d7ee56b3

General

Target

order B001.exe
Size

627KB
MD5

37f6a0d60cd4f997011d801ccd5801f9
SHA1

1d3c69938399f622330b0ea0f44aa293518fc5c8
SHA256

cd3561858ad85a86217ecd30e1acc1937c2a2efba5f3fbc2422645fea169dd5f
SHA512

470be45e3923ff486827c6fb3eba54e4998851f7e76737c53260cc42a853a306ea68ce1834c3f10def524a3ade2881982c371bb7ebd47b291036f60f85eded34
SSDEEP

12288:f45+po2DsuSyr2GJgSqlirGC7ovRxJwyWDYITYRZL0VIAHn8LkYFQ5:e+pJoXGJgSq+GC7oJXyzHVZHn8e

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.huyhoangvn.vn
Port:
587
Username:
[email protected]
Password:
huyhoangqa123
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

order B001.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Windows\CurrentVersion\Run\FdnCz = "C:\\Users\\Admin\\AppData\\Roaming\\FdnCz\\FdnCz.exe"	order B001.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

order B001.exe

description pid process target process

PID 2636 set thread context of 2556 2636 order B001.exe order B001.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2560 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

order B001.exepowershell.exepowershell.exeorder B001.exe

pid process

2636 order B001.exe
2636 order B001.exe
2272 powershell.exe
2768 powershell.exe
2556 order B001.exe
2556 order B001.exe

flow	ioc
2	api.ipify.org

description	pid	process	target process
PID 2636 set thread context of 2556	2636	order B001.exe	order B001.exe

pid	process
2560	schtasks.exe

pid	process
2636	order B001.exe
2636	order B001.exe
2272	powershell.exe
2768	powershell.exe
2556	order B001.exe
2556	order B001.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

order B001.exepowershell.exepowershell.exeorder B001.exe

description	pid	process
Token: SeDebugPrivilege	2636	order B001.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2556	order B001.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

order B001.exe

pid process

2556 order B001.exe

pid	process
2556	order B001.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

order B001.exe

description	pid	process	target process
PID 2636 wrote to memory of 2768	2636	order B001.exe	powershell.exe
PID 2636 wrote to memory of 2768	2636	order B001.exe	powershell.exe
PID 2636 wrote to memory of 2768	2636	order B001.exe	powershell.exe
PID 2636 wrote to memory of 2768	2636	order B001.exe	powershell.exe
PID 2636 wrote to memory of 2272	2636	order B001.exe	powershell.exe
PID 2636 wrote to memory of 2272	2636	order B001.exe	powershell.exe
PID 2636 wrote to memory of 2272	2636	order B001.exe	powershell.exe
PID 2636 wrote to memory of 2272	2636	order B001.exe	powershell.exe
PID 2636 wrote to memory of 2560	2636	order B001.exe	schtasks.exe
PID 2636 wrote to memory of 2560	2636	order B001.exe	schtasks.exe
PID 2636 wrote to memory of 2560	2636	order B001.exe	schtasks.exe
PID 2636 wrote to memory of 2560	2636	order B001.exe	schtasks.exe
PID 2636 wrote to memory of 2556	2636	order B001.exe	order B001.exe
PID 2636 wrote to memory of 2556	2636	order B001.exe	order B001.exe
PID 2636 wrote to memory of 2556	2636	order B001.exe	order B001.exe
PID 2636 wrote to memory of 2556	2636	order B001.exe	order B001.exe
PID 2636 wrote to memory of 2556	2636	order B001.exe	order B001.exe
PID 2636 wrote to memory of 2556	2636	order B001.exe	order B001.exe
PID 2636 wrote to memory of 2556	2636	order B001.exe	order B001.exe
PID 2636 wrote to memory of 2556	2636	order B001.exe	order B001.exe
PID 2636 wrote to memory of 2556	2636	order B001.exe	order B001.exe

C:\Users\Admin\AppData\Local\Temp\order B001.exe
"C:\Users\Admin\AppData\Local\Temp\order B001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\order B001.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eGrBUDzjAJ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eGrBUDzjAJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5947.tmp"
2⤵
- Creates scheduled task(s)
PID:2560

C:\Users\Admin\AppData\Local\Temp\order B001.exe
"C:\Users\Admin\AppData\Local\Temp\order B001.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5947.tmp

Filesize
1KB

MD5
2193fdba6ea65650b57494a206f5a3b3

SHA1
03a9caf096a22376397ef72a2848755141f0674f

SHA256
424c2dec3a909a655ff3acf8f85ca33df7658eca41d8963ba9cb08444487a4ee

SHA512
c09d3cd6603a4c886b3562bf9d81aaa1ea9795fcd74465ed6358179eb0010ed53fa5006ffefa07eecb5835336bab6b7614c58c6ebd39b28f335075520f41a09c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KH52851LOVI4C5AJ1ZMB.temp

Filesize
7KB

MD5
93add3566d16bcfc19704a7c6f10c2e0

SHA1
0cff32b5ea3dba6fbd4ddef7593853064ae27f53

SHA256
9620d1d80f967503bf9d53fcdb8b93310a158a73e4eab44eb54048ad6f7e6522

SHA512
396242cfc25a4e965064f334e5ce0af0cdf3b74c90904f2e985e3023d50b8514c2dbdaac1dabbb59f1d4c34a6df493dbbc47a8b83a52655bf609088829138486

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
93add3566d16bcfc19704a7c6f10c2e0

SHA1
0cff32b5ea3dba6fbd4ddef7593853064ae27f53

SHA256
9620d1d80f967503bf9d53fcdb8b93310a158a73e4eab44eb54048ad6f7e6522

SHA512
396242cfc25a4e965064f334e5ce0af0cdf3b74c90904f2e985e3023d50b8514c2dbdaac1dabbb59f1d4c34a6df493dbbc47a8b83a52655bf609088829138486

Download Submit
memory/2272-44-0x000000006C030000-0x000000006C5DB000-memory.dmp

Filesize
5.7MB

Download
memory/2272-37-0x000000006C030000-0x000000006C5DB000-memory.dmp

Filesize
5.7MB

Download
memory/2272-38-0x0000000002A30000-0x0000000002A70000-memory.dmp

Filesize
256KB

Download
memory/2272-35-0x0000000002A30000-0x0000000002A70000-memory.dmp

Filesize
256KB

Download
memory/2272-33-0x000000006C030000-0x000000006C5DB000-memory.dmp

Filesize
5.7MB

Download
memory/2556-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-40-0x0000000004A60000-0x0000000004AA0000-memory.dmp

Filesize
256KB

Download
memory/2556-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2556-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-47-0x0000000004A60000-0x0000000004AA0000-memory.dmp

Filesize
256KB

Download
memory/2556-46-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2556-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-39-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2636-4-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/2636-6-0x0000000005E80000-0x0000000005EFC000-memory.dmp

Filesize
496KB

Download
memory/2636-5-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/2636-3-0x0000000000280000-0x0000000000298000-memory.dmp

Filesize
96KB

Download
memory/2636-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

Filesize
256KB

Download
memory/2636-0-0x0000000000C20000-0x0000000000CC2000-memory.dmp

Filesize
648KB

Download
memory/2636-30-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-1-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-36-0x000000006C030000-0x000000006C5DB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-41-0x00000000029E0000-0x0000000002A20000-memory.dmp

Filesize
256KB

Download
memory/2768-42-0x00000000029E0000-0x0000000002A20000-memory.dmp

Filesize
256KB

Download
memory/2768-34-0x000000006C030000-0x000000006C5DB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-43-0x000000006C030000-0x000000006C5DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads