agenttesla | 86608bbc9a9aa6e01636680205ef421bc37aeff7312960a821989f1eea7b3540

General

Target

purchase orders.exe
Size

407KB
MD5

e9f8fff3341f84d5f76570fd5068b8b5
SHA1

7daebfd9193ff0c4925523d470d71ff12d692f98
SHA256

86608bbc9a9aa6e01636680205ef421bc37aeff7312960a821989f1eea7b3540
SHA512

80fcd35320752592e7e163b5d50df19c01d061596bc411e0de7a666c156f28973b11fc8760c56a64382b22ddaf2c6aa05092ba1aba496970a0afcf7e6ed935ec
SSDEEP

12288:D9WEeYF2adf4qD7Wz+oHvu7oUgLCPj4tF2:D9WEeJhM35UUGAwU

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.karthikagro.in
Port:
587
Username:
[email protected]
Password:
Yenks@0910

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

uxtaxvs.exeuxtaxvs.exe

pid process

4656 uxtaxvs.exe
1596 uxtaxvs.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4656	uxtaxvs.exe
1596	uxtaxvs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

uxtaxvs.exeuxtaxvs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fnjsso = "C:\\Users\\Admin\\AppData\\Roaming\\yirrnwwgcclhhq\\aavf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\uxtaxvs.exe\" "	uxtaxvs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LHdEfz = "C:\\Users\\Admin\\AppData\\Roaming\\LHdEfz\\LHdEfz.exe"	uxtaxvs.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 api.ipify.org
42 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

uxtaxvs.exe

description pid process target process

PID 4656 set thread context of 1596 4656 uxtaxvs.exe uxtaxvs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

uxtaxvs.exe

pid process

1596 uxtaxvs.exe
1596 uxtaxvs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

uxtaxvs.exe

pid process

4656 uxtaxvs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

uxtaxvs.exe

description pid process

Token: SeDebugPrivilege 1596 uxtaxvs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

uxtaxvs.exe

pid process

1596 uxtaxvs.exe

flow	ioc
43	api.ipify.org
42	api.ipify.org

description	pid	process	target process
PID 4656 set thread context of 1596	4656	uxtaxvs.exe	uxtaxvs.exe

pid	process
1596	uxtaxvs.exe
1596	uxtaxvs.exe

pid	process
4656	uxtaxvs.exe

description	pid	process
Token: SeDebugPrivilege	1596	uxtaxvs.exe

pid	process
1596	uxtaxvs.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

purchase orders.exeuxtaxvs.exe

description	pid	process	target process
PID 2656 wrote to memory of 4656	2656	purchase orders.exe	uxtaxvs.exe
PID 2656 wrote to memory of 4656	2656	purchase orders.exe	uxtaxvs.exe
PID 2656 wrote to memory of 4656	2656	purchase orders.exe	uxtaxvs.exe
PID 4656 wrote to memory of 1596	4656	uxtaxvs.exe	uxtaxvs.exe
PID 4656 wrote to memory of 1596	4656	uxtaxvs.exe	uxtaxvs.exe
PID 4656 wrote to memory of 1596	4656	uxtaxvs.exe	uxtaxvs.exe
PID 4656 wrote to memory of 1596	4656	uxtaxvs.exe	uxtaxvs.exe

C:\Users\Admin\AppData\Local\Temp\purchase orders.exe
"C:\Users\Admin\AppData\Local\Temp\purchase orders.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
"C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
"C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gdiyqwb.im

Filesize
334KB

MD5
7e9a72d139878ecf2699b44f890e14b8

SHA1
23a55bd2a648fe65dc25356beb5be8c44d718147

SHA256
545fed32d85fd13dee67e82dba632a2a8f54f7c9a101ef68136c457f5ad6b4e2

SHA512
bc1d5687488fbff994ac89e149c0607fa02a129742536dd4939f8fc1a3c5815377d17d7c35d197a6b0eac423d44606b8d690ec49ac3dc5992763dc449b414331

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe

Filesize
169KB

MD5
c9fd2ae104aacc62a6d543db3bdf70b2

SHA1
4111132302640eaed75782acbe3541c73df03c3a

SHA256
66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

SHA512
706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe

Filesize
169KB

MD5
c9fd2ae104aacc62a6d543db3bdf70b2

SHA1
4111132302640eaed75782acbe3541c73df03c3a

SHA256
66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

SHA512
706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe

Filesize
169KB

MD5
c9fd2ae104aacc62a6d543db3bdf70b2

SHA1
4111132302640eaed75782acbe3541c73df03c3a

SHA256
66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

SHA512
706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

Download Submit
memory/1596-17-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1596-14-0x00000000024A0000-0x00000000024E2000-memory.dmp

Filesize
264KB

Download
memory/1596-12-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1596-32-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1596-10-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1596-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1596-15-0x00000000742C0000-0x0000000074A70000-memory.dmp

Filesize
7.7MB

Download
memory/1596-18-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1596-31-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1596-16-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1596-19-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/1596-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1596-20-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1596-21-0x0000000004A50000-0x0000000004AB6000-memory.dmp

Filesize
408KB

Download
memory/1596-22-0x0000000005FC0000-0x0000000006010000-memory.dmp

Filesize
320KB

Download
memory/1596-23-0x0000000006020000-0x00000000060BC000-memory.dmp

Filesize
624KB

Download
memory/1596-25-0x00000000742C0000-0x0000000074A70000-memory.dmp

Filesize
7.7MB

Download
memory/1596-26-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1596-27-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1596-28-0x0000000006140000-0x00000000061D2000-memory.dmp

Filesize
584KB

Download
memory/1596-29-0x0000000006260000-0x000000000626A000-memory.dmp

Filesize
40KB

Download
memory/4656-5-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4656-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads