agenttesla | 6c7a86fab40be3fa9a95bbeb52f9c790d239646d0ff8504cfa5629f4fd9a1f42

General

Target

5041673918XXXXX.BAT.exe
Size

330KB
MD5

936f0aaff53261396d764a5429c6a05e
SHA1

c9b23f881ef506918a8b90a6789878e130fc2d55
SHA256

6c7a86fab40be3fa9a95bbeb52f9c790d239646d0ff8504cfa5629f4fd9a1f42
SHA512

84fa483869c5307f31496cc66847f777e8ddfe677b2694ec83385dddd34a0a571f36aa50edb39d4da5961346a62e161097c5e62e710795fd8569cfc2f76af967
SSDEEP

6144:P8LxBs9bI62/EJuzNsHyAOhJsiBQqu7mycVtXBpve5CzmTc/bfq6PfqpctSbT9k7:B1Ip85yAKJsienHqtuCzJTfPSYSbY

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.asiaparadisehotel.com
Port:
587
Username:
[email protected]
Password:
^b2ycDldex$@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

hffhzbqjsu.exehffhzbqjsu.exe

pid process

1696 hffhzbqjsu.exe
316 hffhzbqjsu.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1696	hffhzbqjsu.exe
316	hffhzbqjsu.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/316-13-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/316-12-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/316-11-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/316-8-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hffhzbqjsu.exehffhzbqjsu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgcktpyienjsc = "C:\\Users\\Admin\\AppData\\Roaming\\ejsoxt\\dmirb.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hffhzbqjsu.exe\" "	hffhzbqjsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\M yApp = "C:\\Users\\Admin\\AppData\\Roaming\\M yApp\\M yApp.exe"	hffhzbqjsu.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 api.ipify.org
27 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

hffhzbqjsu.exe

description pid process target process

PID 1696 set thread context of 316 1696 hffhzbqjsu.exe hffhzbqjsu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

hffhzbqjsu.exe

pid process

316 hffhzbqjsu.exe
316 hffhzbqjsu.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

hffhzbqjsu.exe

pid process

1696 hffhzbqjsu.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hffhzbqjsu.exe

description pid process

Token: SeDebugPrivilege 316 hffhzbqjsu.exe

flow	ioc
26	api.ipify.org
27	api.ipify.org

description	pid	process	target process
PID 1696 set thread context of 316	1696	hffhzbqjsu.exe	hffhzbqjsu.exe

pid	process
316	hffhzbqjsu.exe
316	hffhzbqjsu.exe

pid	process
1696	hffhzbqjsu.exe

description	pid	process
Token: SeDebugPrivilege	316	hffhzbqjsu.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

5041673918XXXXX.BAT.exehffhzbqjsu.exe

description	pid	process	target process
PID 3672 wrote to memory of 1696	3672	5041673918XXXXX.BAT.exe	hffhzbqjsu.exe
PID 3672 wrote to memory of 1696	3672	5041673918XXXXX.BAT.exe	hffhzbqjsu.exe
PID 3672 wrote to memory of 1696	3672	5041673918XXXXX.BAT.exe	hffhzbqjsu.exe
PID 1696 wrote to memory of 316	1696	hffhzbqjsu.exe	hffhzbqjsu.exe
PID 1696 wrote to memory of 316	1696	hffhzbqjsu.exe	hffhzbqjsu.exe
PID 1696 wrote to memory of 316	1696	hffhzbqjsu.exe	hffhzbqjsu.exe
PID 1696 wrote to memory of 316	1696	hffhzbqjsu.exe	hffhzbqjsu.exe

C:\Users\Admin\AppData\Local\Temp\5041673918XXXXX.BAT.exe
"C:\Users\Admin\AppData\Local\Temp\5041673918XXXXX.BAT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3672

C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe
"C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe
"C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe

Filesize
193KB

MD5
329714258936d5d850f267ed14ddf624

SHA1
198a7e8e17e199444ffdec075c87481d20e8c68c

SHA256
f91316f363cd9853faa36dccdec6f409ca659491a06fa43fe4a779262688cae2

SHA512
deae281d7021bfa270c6ff7a7abbdf8d8816d2b84fa9761bf69535e938f6cfa3344014042eb39b4cbcc4c87a8bcf40322dec94b9b8a4f1923fbb28761754a410

Download Submit
C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe

Filesize
143KB

MD5
cb822fa06cf740a06a434779546e4e28

SHA1
81fb89ad3d832e371940c507892ab8834e5d358f

SHA256
465445d9028073e7cb9d58c3ae8973912b1793c1372797a01d275395cd2275e0

SHA512
4e61ba0239694fd83601348764173d1591d888119b346993b6decd6761b0de55d8e57d1d8073bb71e115a5b942fd7cea612b489ebe3de74fee152c1fd1746084

Download Submit
C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe

Filesize
64KB

MD5
0598dc77b5f3166e26e1455f11fc34ae

SHA1
141d075d76d86c01da9a0cf5ba51ad5890d7dd85

SHA256
58f44ecdc157251a33c21ed998612310eb1ae4253191a78e3e1f1dec44bed6d4

SHA512
a83d7dd187745ff7f34fcbe3e825e7f514047781287882c0f74e52a61c52c7810b86cff411239ed458b1404cedf39a91f8c46874dcec9ad577999850ed3c5c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvaxxork.y

Filesize
43KB

MD5
b0588fa5a68051fbfb11761b2274a796

SHA1
5d2e20bc9ebce93025555cb1d9283ca0a47d5a40

SHA256
4b5abb4e919e96985afa633b2f207a940165f68e156173c081db97a7d6492753

SHA512
aa62bf43463641ce62f6db37c65afb145ed88c2f4944776b2e142b03254cc007d894ee4e11ef719aa769e00269f8a370142d137718a51cbb36af30e675150ff1

Download Submit
memory/316-15-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/316-18-0x00000000058B0000-0x0000000005E54000-memory.dmp

Filesize
5.6MB

Download
memory/316-11-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/316-8-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/316-13-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/316-14-0x0000000002CA0000-0x0000000002CE2000-memory.dmp

Filesize
264KB

Download
memory/316-27-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/316-17-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/316-16-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/316-12-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/316-19-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/316-20-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/316-21-0x0000000006910000-0x0000000006960000-memory.dmp

Filesize
320KB

Download
memory/316-22-0x0000000006A00000-0x0000000006A9C000-memory.dmp

Filesize
624KB

Download
memory/316-23-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/316-24-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/316-25-0x0000000006B40000-0x0000000006BD2000-memory.dmp

Filesize
584KB

Download
memory/316-26-0x0000000006AC0000-0x0000000006ACA000-memory.dmp

Filesize
40KB

Download
memory/1696-5-0x00000000007F0000-0x00000000007F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads