agenttesla | dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06

General

Target

dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
Size

1.1MB
MD5

94176afdf3dfa9f3d145cedbc0128c70
SHA1

156be08e77a37f3faa48ca039e27b555429005b1
SHA256

dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06
SHA512

79c624293a58a220f2e8157abfbdfcb233bc484f967f1c3dc18ef20ff9673cb82cb76098123c4305cbacf37892ca822df920402a4e07451b9fd71ff50d9a6c1e
SSDEEP

24576:yqDEvCTbMWu7rQYlBQcBiT6rprG8aa2O2EqCJWS8YGuITOeN:yTvC/MTQYxsWR7aa2AxHAO

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.agrosparta.gr
Port:
587
Username:
sales@agrosparta.gr
Password:
Agrosparta1209
Email To:
jose.oliveirea655@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2620-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2620-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2620-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2620-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2620-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2620-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Drops startup file 1 IoCs

Processes:

Laddonia.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs Laddonia.exe
Executes dropped EXE 1 IoCs

Processes:

Laddonia.exe

pid process

4212 Laddonia.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs	Laddonia.exe

pid	process
4212	Laddonia.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe"	RegSvcs.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 api.ipify.org
23 api.ipify.org

flow	ioc
22	api.ipify.org
23	api.ipify.org

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe	autoit_exe
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Laddonia.exe

description pid process target process

PID 4212 set thread context of 2620 4212 Laddonia.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2620 RegSvcs.exe
2620 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Laddonia.exe

pid process

4212 Laddonia.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2620 RegSvcs.exe

description	pid	process	target process
PID 4212 set thread context of 2620	4212	Laddonia.exe	RegSvcs.exe

pid	process
2620	RegSvcs.exe
2620	RegSvcs.exe

pid	process
4212	Laddonia.exe

description	pid	process
Token: SeDebugPrivilege	2620	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exeLaddonia.exe

pid	process
4772	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
4772	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
4212	Laddonia.exe
4212	Laddonia.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exeLaddonia.exe

pid	process
4772	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
4772	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
4212	Laddonia.exe
4212	Laddonia.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exeLaddonia.exe

description	pid	process	target process
PID 4772 wrote to memory of 4212	4772	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe	Laddonia.exe
PID 4772 wrote to memory of 4212	4772	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe	Laddonia.exe
PID 4772 wrote to memory of 4212	4772	dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe	Laddonia.exe
PID 4212 wrote to memory of 2620	4212	Laddonia.exe	RegSvcs.exe
PID 4212 wrote to memory of 2620	4212	Laddonia.exe	RegSvcs.exe
PID 4212 wrote to memory of 2620	4212	Laddonia.exe	RegSvcs.exe
PID 4212 wrote to memory of 2620	4212	Laddonia.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe
"C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe
"C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\dcb8d73a60b84dc0f10048cd00f013fd81601e9b0a47ecf5df32ddc0cb117f06.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe
Filesize
12.4MB

MD5
96fe56bc3d0d9816609bb9236ae13a0a

SHA1
9929d9e96ae40361db70e2e4ce4ad3bec1d909da

SHA256
1358c6e4ca3ab332ece9216b6a6db8999f2198f9fa7917a4978dfab17904d0b5

SHA512
1d242658315f6a9695079643bd56fd72897628566745aed8d707b36d73036faa72dafd453218acdb59cab6ecdf5457bc81cb78235e844a0b66a38fa832e11536

Download Submit
C:\Users\Admin\AppData\Local\Dalymore\Laddonia.exe
Filesize
13.7MB

MD5
703b729c7ee26aae7eff0dbf77a24e0c

SHA1
c9dae8540c878ef1443b6bc9534bec29e85495e0

SHA256
081389320867178944b948c4f0edc07cc050294f9490216d527fdbe84bed4071

SHA512
9f5ee9c88ec3528f534b4d4c8ff19accd3fa9c91cfeca4943cae0359b289f102d77a018d1e9a3d453636d2199effd7ed10338a83ebeaea7c4a09edcb7fe9b8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kinematical
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2620-30-0x0000000005C20000-0x00000000061C4000-memory.dmp

Filesize
5.6MB

Download
memory/2620-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-29-0x0000000074850000-0x0000000075000000-memory.dmp

Filesize
7.7MB

Download
memory/2620-31-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/2620-32-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/2620-34-0x0000000006CB0000-0x0000000006D00000-memory.dmp

Filesize
320KB

Download
memory/2620-35-0x0000000006DA0000-0x0000000006E32000-memory.dmp

Filesize
584KB

Download
memory/2620-36-0x0000000006D20000-0x0000000006D2A000-memory.dmp

Filesize
40KB

Download
memory/2620-37-0x0000000074850000-0x0000000075000000-memory.dmp

Filesize
7.7MB

Download
memory/2620-38-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/4772-10-0x00000000042B0000-0x00000000042B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads