agenttesla | e3f18448db706644cd729bf5be9d94dd322cf4d00f439a9ca0b1768afb1de9d9

General

Target

REX Obfuscator.exe
Size

4.1MB
MD5

6b5501b9e9a8ca4e53b3ea6f0d0f1db9
SHA1

19df7d4b6aabf5d72d3ffe89e4ec130ff1001124
SHA256

f3a45fdc397b1eec7c45664681d566cb68d36701c1f1754ddc2dcb9a439a70f8
SHA512

3970a9e72dcaf82acf0a32c2bceb3ab2bb87614d79e893a318fbc5971f41a310911037ce5c4081aaebb7084ba9747a5d8a020ac8032fbfc8c1c1aabaf6b888a9
SSDEEP

49152:kUUd3LmqgfVwPns0hPEwNYRjLDtAgEGiSKbKmdQxrOL79l523xLJcIF:kUUd3L9gt2h8IYRjL5AHFSKO5g9l520g

Score

10^/10

agenttesla evasion keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2820-8-0x0000000006330000-0x0000000006542000-memory.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

REX Obfuscator.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions REX Obfuscator.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

REX Obfuscator.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools REX Obfuscator.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	REX Obfuscator.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	REX Obfuscator.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

REX Obfuscator.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	REX Obfuscator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	REX Obfuscator.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

REX Obfuscator.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	REX Obfuscator.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	REX Obfuscator.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

REX Obfuscator.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	REX Obfuscator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	REX Obfuscator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	REX Obfuscator.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

REX Obfuscator.exe

pid	process
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe
2820	REX Obfuscator.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

REX Obfuscator.exe

description pid process

Token: SeDebugPrivilege 2820 REX Obfuscator.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

REX Obfuscator.exe

pid process

2820 REX Obfuscator.exe

description	pid	process
Token: SeDebugPrivilege	2820	REX Obfuscator.exe

C:\Users\Admin\AppData\Local\Temp\REX Obfuscator.exe
"C:\Users\Admin\AppData\Local\Temp\REX Obfuscator.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:8
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2820-0-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2820-1-0x00000000006A0000-0x0000000000ACA000-memory.dmp

Filesize
4.2MB

Download
memory/2820-2-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/2820-3-0x0000000005670000-0x000000000580C000-memory.dmp

Filesize
1.6MB

Download
memory/2820-4-0x0000000006EF0000-0x0000000007494000-memory.dmp

Filesize
5.6MB

Download
memory/2820-5-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/2820-6-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/2820-7-0x0000000005FA0000-0x0000000005FAA000-memory.dmp

Filesize
40KB

Download
memory/2820-8-0x0000000006330000-0x0000000006542000-memory.dmp

Filesize
2.1MB

Download
memory/2820-9-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/2820-10-0x0000000007DC0000-0x0000000007DD2000-memory.dmp

Filesize
72KB

Download
memory/2820-11-0x0000000007EC0000-0x0000000007F72000-memory.dmp

Filesize
712KB

Download
memory/2820-13-0x0000000009880000-0x00000000098BC000-memory.dmp

Filesize
240KB

Download
memory/2820-14-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2820-15-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/2820-16-0x00000000055A0000-0x00000000055C2000-memory.dmp

Filesize
136KB

Download
memory/2820-17-0x000000000A2C0000-0x000000000A614000-memory.dmp

Filesize
3.3MB

Download
memory/2820-22-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/2820-30-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads