agenttesla | 0b6b634a3d763601e989506f485f0bbbb9aa0b739f34d5566069bfd7bdc05904

General

Target

Balancepayment.exe
Size

392KB
MD5

9380d44800fbdf3899fe1d04af533d1f
SHA1

a052510980763e83d19c3f9824ea58a5f4eab2b3
SHA256

0b6b634a3d763601e989506f485f0bbbb9aa0b739f34d5566069bfd7bdc05904
SHA512

8e2e205984f1672df25d4c78fca631290706e793677f480b0d088e60bdbef6b91b5e7752175cef0d85fc6c381adf39c64cb3ba6c4578ddbd5b7a79dff9f7be99
SSDEEP

6144:WSodkdIGvvJXFj+3vsW5qeP0sCuTiw14LqcCiNMF2eR2BQ1hZnhG5rO/lGFNzTbn:WSFdIGZVjukc044NCiSx71HsKGXJSA

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
Kene123456789
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

2088 ipconfig.exe
2564 ipconfig.exe

pid	process
2088	ipconfig.exe
2564	ipconfig.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Balancepayment.execmd.exe

description	pid	process	target process
PID 1404 wrote to memory of 1712	1404	Balancepayment.exe	cmd.exe
PID 1404 wrote to memory of 1712	1404	Balancepayment.exe	cmd.exe
PID 1404 wrote to memory of 1712	1404	Balancepayment.exe	cmd.exe
PID 1404 wrote to memory of 1712	1404	Balancepayment.exe	cmd.exe
PID 1712 wrote to memory of 2088	1712	cmd.exe	ipconfig.exe
PID 1712 wrote to memory of 2088	1712	cmd.exe	ipconfig.exe
PID 1712 wrote to memory of 2088	1712	cmd.exe	ipconfig.exe
PID 1712 wrote to memory of 2088	1712	cmd.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\Balancepayment.exe
"C:\Users\Admin\AppData\Local\Temp\Balancepayment.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
2⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
2⤵
PID:2692

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:2564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=
2⤵
PID:2600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/
3⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\Balancepayment.exe
C:\Users\Admin\AppData\Local\Temp\Balancepayment.exe
2⤵
PID:856

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
1⤵
- Gathers network information
PID:2088

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1568 CREDAT:275457 /prefetch:2
1⤵
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-34-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/856-33-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/856-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/856-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-31-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/856-32-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/1404-7-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1404-4-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/1404-1-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1404-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

Filesize
256KB

Download
memory/1404-3-0x0000000001F70000-0x0000000001FC8000-memory.dmp

Filesize
352KB

Download
memory/1404-5-0x0000000001FD0000-0x0000000002010000-memory.dmp

Filesize
256KB

Download
memory/1404-6-0x0000000002070000-0x00000000020BC000-memory.dmp

Filesize
304KB

Download
memory/1404-27-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1404-8-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

Filesize
256KB

Download
memory/1404-0-0x0000000000910000-0x0000000000978000-memory.dmp

Filesize
416KB

Download
memory/2600-13-0x000000006FBE0000-0x000000007018B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-14-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/2600-17-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/2600-16-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/2600-15-0x000000006FBE0000-0x000000007018B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-18-0x000000006FBE0000-0x000000007018B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing