agenttesla | 27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a

General

Target

27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
Size

728KB
MD5

cdf4d3afa2bee0bf7815ea21c357fcbd
SHA1

14bd588ba6460c3dc6351b54936f64f7261a7e4c
SHA256

27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a
SHA512

490b7c341d91f483aef5f24b82e872d88dd278d49bee19e7051aad9af460193ba3d27e11283784c32b0d970f645fe7e1a11492020ecdf07df41d2e890db95238
SSDEEP

12288:PAYAXukOaVQpmyydTlVQnmI5dj39r+ZNJ+CRW74FXHMNya0USBx+R:xLz9iim8jNrlGW7DyaWx+R

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp5ua.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1400	3008	WerFault.exe	118

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3880	PING.EXE
2984	PING.EXE
2244	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2064	2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe	100
PID 2464 wrote to memory of 2064	2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe	100
PID 2464 wrote to memory of 2064	2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe	100
PID 2064 wrote to memory of 3880	2064	cmd.exe	99
PID 2064 wrote to memory of 3880	2064	cmd.exe	99
PID 2064 wrote to memory of 3880	2064	cmd.exe	99
PID 2464 wrote to memory of 1768	2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe	106
PID 2464 wrote to memory of 1768	2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe	106
PID 2464 wrote to memory of 1768	2464	27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe	106
PID 1768 wrote to memory of 2984	1768	cmd.exe	105
PID 1768 wrote to memory of 2984	1768	cmd.exe	105
PID 1768 wrote to memory of 2984	1768	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe
"C:\Users\Admin\AppData\Local\Temp\27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 25 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "explooorrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explooorrs.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "explooorrs" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explooorrs.exe"
    3⤵
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 27 > nul && copy "C:\Users\Admin\AppData\Local\Temp\27e2722049ed670474ba068763442df1a11930feb437552454801ebe9e59d59a.exe" "C:\Users\Admin\AppData\Roaming\explooorrs.exe" && ping 127.0.0.1 -n 27 > nul && "C:\Users\Admin\AppData\Roaming\explooorrs.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 27
    3⤵
    - Runs ping.exe
    PID:2244
- - C:\Users\Admin\AppData\Roaming\explooorrs.exe
    "C:\Users\Admin\AppData\Roaming\explooorrs.exe"
    3⤵
    PID:4580
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:5072
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:3008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1384
        5⤵
        Program crash
        
        PID:1400

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 25
1⤵
- Runs ping.exe
PID:3880

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 27
1⤵
- Runs ping.exe
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3008 -ip 3008
1⤵
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\explooorrs.exe

Filesize
92KB

MD5
8ddafdf0f14517b39a6aaa3c6268345e

SHA1
45430ceb1f9a70a78f295610c265dba55207d461

SHA256
39bd85c1554320a8a6ad139ecd57b9103c6745dc7c104aeb951307ae505a606f

SHA512
84277b8b2ccf21e20bf342af064906e2ddc648cf043e812d61f027d5ee2ab9d26837da309bd82f1343da00caaa1bbfda7ba7b9160114a7f7dd11d30c0d92a608

Download Submit
memory/2464-1-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/2464-12-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/2464-3-0x0000000005390000-0x0000000005934000-memory.dmp

Filesize
5.6MB

Download
memory/2464-5-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2464-6-0x0000000005340000-0x0000000005384000-memory.dmp

Filesize
272KB

Download
memory/2464-7-0x0000000005EA0000-0x0000000005EAA000-memory.dmp

Filesize
40KB

Download
memory/2464-8-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2464-9-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/2464-10-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2464-0-0x00000000007B0000-0x0000000000866000-memory.dmp

Filesize
728KB

Download
memory/2464-4-0x0000000004DE0000-0x0000000004E72000-memory.dmp

Filesize
584KB

Download
memory/2464-2-0x0000000004D40000-0x0000000004DDC000-memory.dmp

Filesize
624KB

Download
memory/3008-33-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3008-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3008-29-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3008-30-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/3008-32-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/4580-18-0x00000000006F0000-0x00000000007A6000-memory.dmp

Filesize
728KB

Download
memory/4580-25-0x0000000006FA0000-0x0000000006FA6000-memory.dmp

Filesize
24KB

Download
memory/4580-24-0x0000000006F80000-0x0000000006F9A000-memory.dmp

Filesize
104KB

Download
memory/4580-26-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4580-23-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4580-22-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/4580-21-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4580-20-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4580-31-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/4580-19-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing