agenttesla | dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06

General

Target

SOA 820527940511.cmd.exe
Size

1.1MB
MD5

94176afdf3dfa9f3d145cedbc0128c70
SHA1

156be08e77a37f3faa48ca039e27b555429005b1
SHA256

dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06
SHA512

79c624293a58a220f2e8157abfbdfcb233bc484f967f1c3dc18ef20ff9673cb82cb76098123c4305cbacf37892ca822df920402a4e07451b9fd71ff50d9a6c1e
SSDEEP

24576:yqDEvCTbMWu7rQYlBQcBiT6rprG8aa2O2EqCJWS8YGuITOeN:yTvC/MTQYxsWR7aa2AxHAO

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.agrosparta.gr
Port:
587
Username:
[email protected]
Password:
Agrosparta1209
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Drops startup file 1 IoCs

Processes:

Laddonia.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs Laddonia.exe
Executes dropped EXE 1 IoCs

Processes:

Laddonia.exe

pid process

3368 Laddonia.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs	Laddonia.exe

pid	process
3368	Laddonia.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe"	RegSvcs.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 api.ipify.org
47 api.ipify.org

flow	ioc
46	api.ipify.org
47	api.ipify.org

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe	autoit_exe
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Laddonia.exe

description pid process target process

PID 3368 set thread context of 3744 3368 Laddonia.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

RegSvcs.exe

pid process

3744 RegSvcs.exe
3744 RegSvcs.exe
3744 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Laddonia.exe

pid process

3368 Laddonia.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 3744 RegSvcs.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

SOA 820527940511.cmd.exeLaddonia.exe

pid process

3432 SOA 820527940511.cmd.exe
3432 SOA 820527940511.cmd.exe
3368 Laddonia.exe
3368 Laddonia.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

SOA 820527940511.cmd.exeLaddonia.exe

pid process

3432 SOA 820527940511.cmd.exe
3432 SOA 820527940511.cmd.exe
3368 Laddonia.exe
3368 Laddonia.exe

description	pid	process	target process
PID 3368 set thread context of 3744	3368	Laddonia.exe	RegSvcs.exe

pid	process
3744	RegSvcs.exe
3744	RegSvcs.exe
3744	RegSvcs.exe

pid	process
3368	Laddonia.exe

description	pid	process
Token: SeDebugPrivilege	3744	RegSvcs.exe

pid	process
3432	SOA 820527940511.cmd.exe
3432	SOA 820527940511.cmd.exe
3368	Laddonia.exe
3368	Laddonia.exe

pid	process
3432	SOA 820527940511.cmd.exe
3432	SOA 820527940511.cmd.exe
3368	Laddonia.exe
3368	Laddonia.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

SOA 820527940511.cmd.exeLaddonia.exe

description	pid	process	target process
PID 3432 wrote to memory of 3368	3432	SOA 820527940511.cmd.exe	Laddonia.exe
PID 3432 wrote to memory of 3368	3432	SOA 820527940511.cmd.exe	Laddonia.exe
PID 3432 wrote to memory of 3368	3432	SOA 820527940511.cmd.exe	Laddonia.exe
PID 3368 wrote to memory of 3744	3368	Laddonia.exe	RegSvcs.exe
PID 3368 wrote to memory of 3744	3368	Laddonia.exe	RegSvcs.exe
PID 3368 wrote to memory of 3744	3368	Laddonia.exe	RegSvcs.exe
PID 3368 wrote to memory of 3744	3368	Laddonia.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SOA 820527940511.cmd.exe
"C:\Users\Admin\AppData\Local\Temp\SOA 820527940511.cmd.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3432

C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe
"C:\Users\Admin\AppData\Local\Temp\SOA 820527940511.cmd.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\SOA 820527940511.cmd.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:8
1⤵
PID:4012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe
Filesize
5.0MB

MD5
3818dac072ce80ff59df4e12eb392307

SHA1
eb162cdea0b26b76a176913633f37da71495ecee

SHA256
7b7e3318be466df73dec4476c776b144f6b6f509651657a5c7428a841fbaa85d

SHA512
acc41ba0ccba0a47461a8a5486e69d3b2f0fc7526e96d230a58aa7c7bba9a37bf7b14becfe92f7773d5ed98664ffd0fedcffa6e73d0769c20f16f798f75fec43

Download Submit
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe
Filesize
5.2MB

MD5
e51ba95e316e64f51a243054718cd3f8

SHA1
c319594dd10f63263aa31d95f8a54401d4690cde

SHA256
13cb966b6eaaded8c6101ff00aa893fc4f808a668e6f57a433490ffb2a086513

SHA512
e88b60f8c72f29249cb211576d46bb89109b0e2574764e2b0c7c2b82571c6f797e5aaf696533322330065c175cda21152e9fcee5713b6f11f4148c6972d9b940

Download Submit
C:\Users\Admin\AppData\Local\Temp\uppishly
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3432-10-0x0000000001DD0000-0x0000000001DD4000-memory.dmp

Filesize
16KB

Download
memory/3744-30-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/3744-29-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/3744-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3744-31-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/3744-32-0x0000000005170000-0x00000000051D6000-memory.dmp

Filesize
408KB

Download
memory/3744-34-0x00000000065A0000-0x00000000065F0000-memory.dmp

Filesize
320KB

Download
memory/3744-35-0x0000000006690000-0x0000000006722000-memory.dmp

Filesize
584KB

Download
memory/3744-36-0x0000000006610000-0x000000000661A000-memory.dmp

Filesize
40KB

Download
memory/3744-37-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/3744-38-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads