agenttesla | 9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7

General

Target

TEKLİF TALEP_xlsx.exe
Size

668KB
MD5

b2ebfbb63f7ccdff15e24e4ff801c986
SHA1

584079acf1abc206fca557907ab0c258ebc21a9a
SHA256

9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7
SHA512

dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2
SSDEEP

12288:zuLD9C9DaFlVqcwO9kuereZz5WgZtjs1Ux6xdE0Is0JAIActwqk67tjbFRU:zsuMA7O9nZQktjs1+ps0CI1Ox6nRU

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp8nl.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2604 svchost.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

2648 cmd.exe
2448 WerFault.exe
2448 WerFault.exe
2448 WerFault.exe
2448 WerFault.exe
2448 WerFault.exe

pid	process
2604	svchost.exe

pid	process
2648	cmd.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TEKLİF TALEP_xlsx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	TEKLİF TALEP_xlsx.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2604 set thread context of 2736 2604 svchost.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2636 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2444 timeout.exe

description	pid	process	target process
PID 2604 set thread context of 2736	2604	svchost.exe	AddInProcess32.exe

pid	process
2636	schtasks.exe

pid	process
2444	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

TEKLİF TALEP_xlsx.exesvchost.exe

pid	process
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2864	TEKLİF TALEP_xlsx.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

TEKLİF TALEP_xlsx.exesvchost.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	2864	TEKLİF TALEP_xlsx.exe
Token: SeDebugPrivilege	2604	svchost.exe
Token: SeDebugPrivilege	2736	AddInProcess32.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

TEKLİF TALEP_xlsx.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 2864 wrote to memory of 2264	2864	TEKLİF TALEP_xlsx.exe	cmd.exe
PID 2864 wrote to memory of 2264	2864	TEKLİF TALEP_xlsx.exe	cmd.exe
PID 2864 wrote to memory of 2264	2864	TEKLİF TALEP_xlsx.exe	cmd.exe
PID 2864 wrote to memory of 2648	2864	TEKLİF TALEP_xlsx.exe	cmd.exe
PID 2864 wrote to memory of 2648	2864	TEKLİF TALEP_xlsx.exe	cmd.exe
PID 2864 wrote to memory of 2648	2864	TEKLİF TALEP_xlsx.exe	cmd.exe
PID 2264 wrote to memory of 2636	2264	cmd.exe	schtasks.exe
PID 2264 wrote to memory of 2636	2264	cmd.exe	schtasks.exe
PID 2264 wrote to memory of 2636	2264	cmd.exe	schtasks.exe
PID 2648 wrote to memory of 2444	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 2444	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 2444	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 2604	2648	cmd.exe	svchost.exe
PID 2648 wrote to memory of 2604	2648	cmd.exe	svchost.exe
PID 2648 wrote to memory of 2604	2648	cmd.exe	svchost.exe
PID 2604 wrote to memory of 2736	2604	svchost.exe	AddInProcess32.exe
PID 2604 wrote to memory of 2736	2604	svchost.exe	AddInProcess32.exe
PID 2604 wrote to memory of 2736	2604	svchost.exe	AddInProcess32.exe
PID 2604 wrote to memory of 2736	2604	svchost.exe	AddInProcess32.exe
PID 2604 wrote to memory of 2736	2604	svchost.exe	AddInProcess32.exe
PID 2604 wrote to memory of 2736	2604	svchost.exe	AddInProcess32.exe
PID 2604 wrote to memory of 2736	2604	svchost.exe	AddInProcess32.exe
PID 2604 wrote to memory of 2736	2604	svchost.exe	AddInProcess32.exe
PID 2604 wrote to memory of 2736	2604	svchost.exe	AddInProcess32.exe
PID 2604 wrote to memory of 2448	2604	svchost.exe	WerFault.exe
PID 2604 wrote to memory of 2448	2604	svchost.exe	WerFault.exe
PID 2604 wrote to memory of 2448	2604	svchost.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP_xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP_xlsx.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:2636

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp259A.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2444

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2604 -s 732
4⤵
- Loads dropped DLL
PID:2448

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp259A.tmp.bat
Filesize
151B

MD5
d6ea2d5d65e2c9f513b84409aedb09ac

SHA1
f829aba9764bb1123d12657034e8f05d6377febe

SHA256
44fc358f8f4b8142f1bd6366aac246d335677845e484ebd5086d49dd207e3f11

SHA512
e4e4342b7ae026a1f3b8096184ec5349c20cf832b927a1ec3dff2b19fd8cf023b4b4607be82a991bb696298a3154f79adc6dc9c6050f893e8e4763298545800b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
668KB

MD5
b2ebfbb63f7ccdff15e24e4ff801c986

SHA1
584079acf1abc206fca557907ab0c258ebc21a9a

SHA256
9b6287ed088ca9a4d43602c95f045bafb0f17214412a749d27a5b2c126c8edb7

SHA512
dd8d4b655504786999696f2603b915351d2daab578568f8ea181fdb54aa5eb420d2f02937eab6d6649562c243bba5259d26e04a19a0c48b894037a66dc48afe2

Download Submit
memory/2604-19-0x0000000000040000-0x000000000005A000-memory.dmp

Filesize
104KB

Download
memory/2604-38-0x000000001B360000-0x000000001B3E0000-memory.dmp

Filesize
512KB

Download
memory/2604-37-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-20-0x000000001B360000-0x000000001B3E0000-memory.dmp

Filesize
512KB

Download
memory/2604-18-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-39-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2736-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-36-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2736-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2864-0-0x0000000000890000-0x00000000008AA000-memory.dmp

Filesize
104KB

Download
memory/2864-13-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-2-0x000000001B200000-0x000000001B280000-memory.dmp

Filesize
512KB

Download
memory/2864-1-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-3-0x000000001B3F0000-0x000000001B484000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads