agenttesla | db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d

General

Target

db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe
Size

1.0MB
MD5

a137ddf047bb1db826af4ccb3110db6d
SHA1

dd93f6c84d0b01d78d7eae68811e8f5edd512019
SHA256

db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d
SHA512

bc6a5259b8dbf751ad5024b35c556afff2db8b85f9f784f07b72dfc6099d5a6b9a28dd6802fb780c9764e68fc85c62abda45449a92f12a917ffb17a40223b475
SSDEEP

24576:dtb20pkaCqT5TBWgNQ7anf9xR7LkwR6A:OVg5tQ7anfBLj5

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.antoniomayol.com:21
Port:
21
Username:
[email protected]
Password:
cMhKDQUk1{;%

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs

resource	yara_rule
behavioral2/memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
behavioral2/memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs

resource	yara_rule
behavioral2/memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isochronal.vbs	isochronal.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	isochronal.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023203-13.dat	autoit_exe
behavioral2/files/0x0007000000023203-14.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2848 set thread context of 3152	2848	isochronal.exe	98

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3152	RegSvcs.exe
3152	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2848	isochronal.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3152	RegSvcs.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3680	db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe
3680	db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe
2848	isochronal.exe
2848	isochronal.exe
2848	isochronal.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3680	db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe
3680	db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe
2848	isochronal.exe
2848	isochronal.exe
2848	isochronal.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 2848	3680	db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe	95
PID 3680 wrote to memory of 2848	3680	db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe	95
PID 3680 wrote to memory of 2848	3680	db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe	95
PID 2848 wrote to memory of 3152	2848	isochronal.exe	98
PID 2848 wrote to memory of 3152	2848	isochronal.exe	98
PID 2848 wrote to memory of 3152	2848	isochronal.exe	98
PID 2848 wrote to memory of 3152	2848	isochronal.exe	98

C:\Users\Admin\AppData\Local\Temp\db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe
"C:\Users\Admin\AppData\Local\Temp\db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\penstocks\isochronal.exe
  "C:\Users\Admin\AppData\Local\Temp\db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\penstocks\isochronal.exe

Filesize
10.6MB

MD5
2ed70b7e40ee933d262bc26690f54599

SHA1
be4dd023b98baca1da230bc7f1b73b87223ef05e

SHA256
3be687d7a6d01719a6d7534e2165ffba855ebc61d50b04d32599a1ed3c71f90f

SHA512
4140b80147b83b3dce19f9a4674c49ebacb627b1c7b39754e6639291bc089bb21c9a438edc912e48bef056135de74166d7d3729498004149fd390268d17b5f9c

Download Submit
C:\Users\Admin\AppData\Local\penstocks\isochronal.exe

Filesize
12.1MB

MD5
825333cbd7495113174265170547de3a

SHA1
ae6f72eb21f6c17ad81b8736a173ffe7ad2c8661

SHA256
3052f8b9fb3a2d71e260d954fa8600fbcf769a0a8766f253dd55f37f9ba1fb15

SHA512
094d982a2d6b686400d97813cff65096e5ca4af190c0c8d13626663fa019f1e0bfda81e3d9d18dacf1d53dfca9436537e7a30f5013f4c2f47b6b7a8d3738be36

Download Submit
memory/3152-30-0x0000000005BD0000-0x0000000006174000-memory.dmp

Filesize
5.6MB

Download
memory/3152-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3152-29-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/3152-31-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/3152-32-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/3152-33-0x0000000006B00000-0x0000000006B50000-memory.dmp

Filesize
320KB

Download
memory/3152-34-0x0000000006BF0000-0x0000000006C82000-memory.dmp

Filesize
584KB

Download
memory/3152-35-0x0000000006B80000-0x0000000006B8A000-memory.dmp

Filesize
40KB

Download
memory/3152-36-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/3152-37-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/3680-10-0x00000000034C0000-0x00000000034C4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing