agenttesla | 0a41f627f74d812289dcaf44378a03d7802e179c5cfb12bcf270b8070285e6fc

General

Target

8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
Size

610KB
MD5

66e196c15ec46d1e7526b1c48da1b72a
SHA1

f9b2dc950a21c296aaf57a013c3f4e93f8ebbad2
SHA256

8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9
SHA512

f8d8241d5af76033ba83caff888d325285110356b8e35175260a912cf416670465d218d7c550b9f15cc969bc2f53381cb8e41dd4f9a859cae65e4df600b6f851
SSDEEP

12288:yRfHhxVzsP5wzyNwv5gs3MjeNPq0wKrCHrT3GQzRVPUYvV3L2dXEg:yXxU5wzaktc4PEWCHfGQzbPfvFydXEg

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp8nl.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2432 svchost.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

2728 cmd.exe
2628 WerFault.exe
2628 WerFault.exe
2628 WerFault.exe
2628 WerFault.exe
2628 WerFault.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

pid	process
2432	svchost.exe

pid	process
2728	cmd.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2432 set thread context of 1928 2432 svchost.exe regasm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2664 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1648 timeout.exe

description	pid	process	target process
PID 2432 set thread context of 1928	2432	svchost.exe	regasm.exe

pid	process
2664	schtasks.exe

pid	process
1648	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exesvchost.exe

pid	process
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exesvchost.exepowershell.exeregasm.exe

description	pid	process
Token: SeDebugPrivilege	2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
Token: SeDebugPrivilege	2432	svchost.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1928	regasm.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 2204 wrote to memory of 2116	2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe	cmd.exe
PID 2204 wrote to memory of 2116	2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe	cmd.exe
PID 2204 wrote to memory of 2116	2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe	cmd.exe
PID 2204 wrote to memory of 2728	2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe	cmd.exe
PID 2204 wrote to memory of 2728	2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe	cmd.exe
PID 2204 wrote to memory of 2728	2204	8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe	cmd.exe
PID 2728 wrote to memory of 1648	2728	cmd.exe	timeout.exe
PID 2728 wrote to memory of 1648	2728	cmd.exe	timeout.exe
PID 2728 wrote to memory of 1648	2728	cmd.exe	timeout.exe
PID 2116 wrote to memory of 2664	2116	cmd.exe	schtasks.exe
PID 2116 wrote to memory of 2664	2116	cmd.exe	schtasks.exe
PID 2116 wrote to memory of 2664	2116	cmd.exe	schtasks.exe
PID 2728 wrote to memory of 2432	2728	cmd.exe	svchost.exe
PID 2728 wrote to memory of 2432	2728	cmd.exe	svchost.exe
PID 2728 wrote to memory of 2432	2728	cmd.exe	svchost.exe
PID 2432 wrote to memory of 2420	2432	svchost.exe	powershell.exe
PID 2432 wrote to memory of 2420	2432	svchost.exe	powershell.exe
PID 2432 wrote to memory of 2420	2432	svchost.exe	powershell.exe
PID 2432 wrote to memory of 1928	2432	svchost.exe	regasm.exe
PID 2432 wrote to memory of 1928	2432	svchost.exe	regasm.exe
PID 2432 wrote to memory of 1928	2432	svchost.exe	regasm.exe
PID 2432 wrote to memory of 1928	2432	svchost.exe	regasm.exe
PID 2432 wrote to memory of 1928	2432	svchost.exe	regasm.exe
PID 2432 wrote to memory of 1928	2432	svchost.exe	regasm.exe
PID 2432 wrote to memory of 1928	2432	svchost.exe	regasm.exe
PID 2432 wrote to memory of 1928	2432	svchost.exe	regasm.exe
PID 2432 wrote to memory of 1928	2432	svchost.exe	regasm.exe
PID 2432 wrote to memory of 1928	2432	svchost.exe	regasm.exe
PID 2432 wrote to memory of 1928	2432	svchost.exe	regasm.exe
PID 2432 wrote to memory of 1928	2432	svchost.exe	regasm.exe
PID 2432 wrote to memory of 2628	2432	svchost.exe	WerFault.exe
PID 2432 wrote to memory of 2628	2432	svchost.exe	WerFault.exe
PID 2432 wrote to memory of 2628	2432	svchost.exe	WerFault.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe
"C:\Users\Admin\AppData\Local\Temp\8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp758D.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1648

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2432 -s 832
4⤵
- Loads dropped DLL
PID:2628

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp758D.tmp.bat
Filesize
151B

MD5
8805cd9be32ad32d09dee5a04b102fc6

SHA1
2545ed2d48e545ac33da3cf758573b676d0c97d2

SHA256
f86e1b38eb7163879716573659ea5a5af42f411df99d7e95dc97d582452b111e

SHA512
632f1ea4557a61b93d0ef5ab905af952c8a8f4bb6aef1e5761d59358954c79422c2dd2417bcb4396c7d1f7337035e8c75e2943829cd19c2cf48b019f0281fe31

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
610KB

MD5
66e196c15ec46d1e7526b1c48da1b72a

SHA1
f9b2dc950a21c296aaf57a013c3f4e93f8ebbad2

SHA256
8c5c6b99a06119e1064bfcf3f53cc66150751c0969dc37dc3603eef5535a8af9

SHA512
f8d8241d5af76033ba83caff888d325285110356b8e35175260a912cf416670465d218d7c550b9f15cc969bc2f53381cb8e41dd4f9a859cae65e4df600b6f851

Download Submit
memory/1928-42-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-34-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1928-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2204-14-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-1-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-0-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/2204-3-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2204-2-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2204-4-0x000000001B460000-0x000000001B4F4000-memory.dmp

Filesize
592KB

Download
memory/2420-31-0x000007FEEF5A0000-0x000007FEEFF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-32-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/2420-35-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/2420-30-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/2420-33-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/2420-29-0x000007FEEF5A0000-0x000007FEEFF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-39-0x000007FEEF5A0000-0x000007FEEFF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-28-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2420-27-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/2432-22-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/2432-21-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/2432-20-0x000007FEF4FB0000-0x000007FEF599C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-19-0x00000000013D0000-0x00000000013DC000-memory.dmp

Filesize
48KB

Download
memory/2432-55-0x000007FEF4FB0000-0x000007FEF599C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-56-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/2432-57-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads