agenttesla | e7c30df0932d6ccaffe8eb817c2ed422920fb958b04d38f3f8c53f3a9953f214

General

Target

e178ae1de056b3463f929009b08b3c03.exe
Size

490KB
MD5

e178ae1de056b3463f929009b08b3c03
SHA1

e1e363f5e0cee78e1a2d2ad606be7529c58203c2
SHA256

e7c30df0932d6ccaffe8eb817c2ed422920fb958b04d38f3f8c53f3a9953f214
SHA512

6bdb2875bb60447daea8760ef76977545e2c9a6a8163a4bbecf57009aed0784ee9795ff9111f06beb6e6e99aea2764a7db8637e426a2a2338c7bb4b89b9e40b7
SSDEEP

6144:BJCUD1099JzbK9ju7xtH9lSirp+wjUzkx7EZBJ+Z/q3fM/Vd9A1MbEWNN15naFv4:V49H3LMwjU8qBJKi3GTS13wN8v6eC

Score

10^/10

agenttesla evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.fakly-cambodia.com
Port:
587
Username:
[email protected]
Password:
Mmhh#2014

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5072-16-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

e178ae1de056b3463f929009b08b3c03.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions e178ae1de056b3463f929009b08b3c03.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

e178ae1de056b3463f929009b08b3c03.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools e178ae1de056b3463f929009b08b3c03.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	e178ae1de056b3463f929009b08b3c03.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	e178ae1de056b3463f929009b08b3c03.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e178ae1de056b3463f929009b08b3c03.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e178ae1de056b3463f929009b08b3c03.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e178ae1de056b3463f929009b08b3c03.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e178ae1de056b3463f929009b08b3c03.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	e178ae1de056b3463f929009b08b3c03.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e178ae1de056b3463f929009b08b3c03.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e178ae1de056b3463f929009b08b3c03.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	e178ae1de056b3463f929009b08b3c03.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e178ae1de056b3463f929009b08b3c03.exe

description pid process target process

PID 1504 set thread context of 5072 1504 e178ae1de056b3463f929009b08b3c03.exe e178ae1de056b3463f929009b08b3c03.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2296 schtasks.exe

description	pid	process	target process
PID 1504 set thread context of 5072	1504	e178ae1de056b3463f929009b08b3c03.exe	e178ae1de056b3463f929009b08b3c03.exe

pid	process
2296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

e178ae1de056b3463f929009b08b3c03.exee178ae1de056b3463f929009b08b3c03.exe

pid	process
1504	e178ae1de056b3463f929009b08b3c03.exe
1504	e178ae1de056b3463f929009b08b3c03.exe
1504	e178ae1de056b3463f929009b08b3c03.exe
5072	e178ae1de056b3463f929009b08b3c03.exe
5072	e178ae1de056b3463f929009b08b3c03.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e178ae1de056b3463f929009b08b3c03.exee178ae1de056b3463f929009b08b3c03.exe

description pid process

Token: SeDebugPrivilege 1504 e178ae1de056b3463f929009b08b3c03.exe
Token: SeDebugPrivilege 5072 e178ae1de056b3463f929009b08b3c03.exe

description	pid	process
Token: SeDebugPrivilege	1504	e178ae1de056b3463f929009b08b3c03.exe
Token: SeDebugPrivilege	5072	e178ae1de056b3463f929009b08b3c03.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e178ae1de056b3463f929009b08b3c03.exe

description	pid	process	target process
PID 1504 wrote to memory of 2296	1504	e178ae1de056b3463f929009b08b3c03.exe	schtasks.exe
PID 1504 wrote to memory of 2296	1504	e178ae1de056b3463f929009b08b3c03.exe	schtasks.exe
PID 1504 wrote to memory of 2296	1504	e178ae1de056b3463f929009b08b3c03.exe	schtasks.exe
PID 1504 wrote to memory of 4992	1504	e178ae1de056b3463f929009b08b3c03.exe	e178ae1de056b3463f929009b08b3c03.exe
PID 1504 wrote to memory of 4992	1504	e178ae1de056b3463f929009b08b3c03.exe	e178ae1de056b3463f929009b08b3c03.exe
PID 1504 wrote to memory of 4992	1504	e178ae1de056b3463f929009b08b3c03.exe	e178ae1de056b3463f929009b08b3c03.exe
PID 1504 wrote to memory of 5072	1504	e178ae1de056b3463f929009b08b3c03.exe	e178ae1de056b3463f929009b08b3c03.exe
PID 1504 wrote to memory of 5072	1504	e178ae1de056b3463f929009b08b3c03.exe	e178ae1de056b3463f929009b08b3c03.exe
PID 1504 wrote to memory of 5072	1504	e178ae1de056b3463f929009b08b3c03.exe	e178ae1de056b3463f929009b08b3c03.exe
PID 1504 wrote to memory of 5072	1504	e178ae1de056b3463f929009b08b3c03.exe	e178ae1de056b3463f929009b08b3c03.exe
PID 1504 wrote to memory of 5072	1504	e178ae1de056b3463f929009b08b3c03.exe	e178ae1de056b3463f929009b08b3c03.exe
PID 1504 wrote to memory of 5072	1504	e178ae1de056b3463f929009b08b3c03.exe	e178ae1de056b3463f929009b08b3c03.exe
PID 1504 wrote to memory of 5072	1504	e178ae1de056b3463f929009b08b3c03.exe	e178ae1de056b3463f929009b08b3c03.exe
PID 1504 wrote to memory of 5072	1504	e178ae1de056b3463f929009b08b3c03.exe	e178ae1de056b3463f929009b08b3c03.exe

C:\Users\Admin\AppData\Local\Temp\e178ae1de056b3463f929009b08b3c03.exe
"C:\Users\Admin\AppData\Local\Temp\e178ae1de056b3463f929009b08b3c03.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HfBaIWTX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6462.tmp"
2⤵
- Creates scheduled task(s)
PID:2296

C:\Users\Admin\AppData\Local\Temp\e178ae1de056b3463f929009b08b3c03.exe
"{path}"
2⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\e178ae1de056b3463f929009b08b3c03.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6462.tmp
Filesize
1KB

MD5
06dc503bdd17946a8f2ca1b8b5371f77

SHA1
163566deb8a762a2a307cabeaecbb25a5410bb49

SHA256
97210b023ea0b6861a3fdcc25a63bd0365f561f18eea9da81a7a2d0ecb39d948

SHA512
8065627ef47db7a0c524018f3bfe9631aaa4ad772b3f9b4ec0b9ed2edf6b4cd321a75d826e4369e9839b3fbccebdc57d30dfa960c6fb0eddc8f2410695b8d43a

Download Submit
memory/1504-10-0x00000000078E0000-0x0000000007968000-memory.dmp

Filesize
544KB

Download
memory/1504-11-0x0000000006120000-0x0000000006160000-memory.dmp

Filesize
256KB

Download
memory/1504-3-0x0000000004AA0000-0x0000000004B32000-memory.dmp

Filesize
584KB

Download
memory/1504-4-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1504-5-0x0000000004A80000-0x0000000004A8A000-memory.dmp

Filesize
40KB

Download
memory/1504-6-0x00000000056D0000-0x00000000056D8000-memory.dmp

Filesize
32KB

Download
memory/1504-7-0x0000000006040000-0x00000000060DC000-memory.dmp

Filesize
624KB

Download
memory/1504-20-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/1504-9-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1504-2-0x0000000004FB0000-0x0000000005554000-memory.dmp

Filesize
5.6MB

Download
memory/1504-8-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/1504-12-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/1504-1-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/1504-0-0x0000000000110000-0x0000000000190000-memory.dmp

Filesize
512KB

Download
memory/5072-21-0x0000000004FD0000-0x0000000004FE8000-memory.dmp

Filesize
96KB

Download
memory/5072-19-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/5072-18-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/5072-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5072-22-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/5072-23-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads