agenttesla | dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06

General

Target

dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
Size

1.1MB
MD5

94176afdf3dfa9f3d145cedbc0128c70
SHA1

156be08e77a37f3faa48ca039e27b555429005b1
SHA256

dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06
SHA512

79c624293a58a220f2e8157abfbdfcb233bc484f967f1c3dc18ef20ff9673cb82cb76098123c4305cbacf37892ca822df920402a4e07451b9fd71ff50d9a6c1e
SSDEEP

24576:yqDEvCTbMWu7rQYlBQcBiT6rprG8aa2O2EqCJWS8YGuITOeN:yTvC/MTQYxsWR7aa2AxHAO

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.agrosparta.gr
Port:
587
Username:
sales@agrosparta.gr
Password:
Agrosparta1209
Email To:
jose.oliveirea655@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2668-30-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2668-32-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2668-30-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2668-32-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2668-30-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2668-32-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2668-30-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2668-32-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2668-30-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2668-32-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2668-30-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2668-32-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Drops startup file 1 IoCs

Processes:

Laddonia.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs Laddonia.exe
Executes dropped EXE 1 IoCs

Processes:

Laddonia.exe

pid process

2592 Laddonia.exe
Loads dropped DLL 1 IoCs

Processes:

dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe

pid process

2136 dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs	Laddonia.exe

pid	process
2592	Laddonia.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe"	RegSvcs.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org

flow	ioc
4	api.ipify.org
5	api.ipify.org

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Dalymore\Laddonia.exe	autoit_exe
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe	autoit_exe
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Laddonia.exe

description pid process target process

PID 2592 set thread context of 2668 2592 Laddonia.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2668 RegSvcs.exe
2668 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Laddonia.exe

pid process

2592 Laddonia.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2668 RegSvcs.exe

description	pid	process	target process
PID 2592 set thread context of 2668	2592	Laddonia.exe	RegSvcs.exe

pid	process
2668	RegSvcs.exe
2668	RegSvcs.exe

pid	process
2592	Laddonia.exe

description	pid	process
Token: SeDebugPrivilege	2668	RegSvcs.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exeLaddonia.exe

pid	process
2136	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
2136	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
2592	Laddonia.exe
2592	Laddonia.exe
2592	Laddonia.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exeLaddonia.exe

pid	process
2136	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
2136	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
2592	Laddonia.exe
2592	Laddonia.exe
2592	Laddonia.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exeLaddonia.exe

description	pid	process	target process
PID 2136 wrote to memory of 2592	2136	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe	Laddonia.exe
PID 2136 wrote to memory of 2592	2136	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe	Laddonia.exe
PID 2136 wrote to memory of 2592	2136	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe	Laddonia.exe
PID 2136 wrote to memory of 2592	2136	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe	Laddonia.exe
PID 2592 wrote to memory of 2668	2592	Laddonia.exe	RegSvcs.exe
PID 2592 wrote to memory of 2668	2592	Laddonia.exe	RegSvcs.exe
PID 2592 wrote to memory of 2668	2592	Laddonia.exe	RegSvcs.exe
PID 2592 wrote to memory of 2668	2592	Laddonia.exe	RegSvcs.exe
PID 2592 wrote to memory of 2668	2592	Laddonia.exe	RegSvcs.exe
PID 2592 wrote to memory of 2668	2592	Laddonia.exe	RegSvcs.exe
PID 2592 wrote to memory of 2668	2592	Laddonia.exe	RegSvcs.exe
PID 2592 wrote to memory of 2668	2592	Laddonia.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
"C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe
"C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe
Filesize
15.5MB

MD5
8dc872cde456397f57918b1c79b07a8e

SHA1
8f71505d4b826af069f7b5089bef822470a5b9df

SHA256
89810919aae95594827deaf0172f101aa1f12a4f85bb2da58b8f094f78147200

SHA512
ff66d71471ca97213770a92c33df06147431fa3475b91fee58a6d59fe16cd6e9388a25826995a6b84c754d22c346162cb796179184f03d2902039be3b7dc3743

Download Submit
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe
Filesize
15.5MB

MD5
6625385f95f0ffe1859b1fae768d6fdc

SHA1
52f8d2e2c514e112e11289aa76415ea029290928

SHA256
30703adc0a01467d13ab2f9b7b6012eacfbbb221e9f07da57998cf406a58538d

SHA512
05005fee10363d048ab86fdaec7f1f8f384353588d03cf8419000a2b8ba061fd1817d9ee561590e6eb118af530657db8ef087e33cae65b3b1f59c6a5e535021b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uppishly
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Dalymore\Laddonia.exe
Filesize
10.2MB

MD5
1a4a50919cd35efad9002257263e8b47

SHA1
75591e6df5b8e2e083558b0433e270f60bfa6fe2

SHA256
bc059a5517fd70d38073c73d44add9e1d3fa61be2fd0022284c54d3099837535

SHA512
a395eb6bcc6e7ac946ae468cde682bffff99cfd5846089a5a9372af25cda0d9aac01b49806ab9ebe286663d64a5c58df4a74a3770c0ff7b01a6b4a1c174b4da6

Download Submit
memory/2136-10-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/2668-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-35-0x0000000073E50000-0x000000007453E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-36-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/2668-38-0x0000000073E50000-0x000000007453E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-39-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads