agenttesla | 0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305

General

Target

0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe
Size

747KB
MD5

93da4f364deae0c5dccb3d9ab2e1c67a
SHA1

e65df8007dae4cddbb1119c7dcc0737328c760d7
SHA256

0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305
SHA512

436a1a3fa33acb21ddc76d0191b204cf86a83ad587dfb9c97a0ae8d9e3bfa8602bc59162cbfdfdea57988151dcc386769d395fa81f3c7b87e55b9a8e650482b6
SSDEEP

12288:TkMayww0KgdH8+WXfJxsXqmUUwyFT9kgwyXROOTa85gijVdIaNv:zajSQC/0we5kwROOTa85PjrNN

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://discordapp.com/api/webhooks/1209079326381703258/KMWScJ3_PST6cUhH_FpNX9xquPQydoTw5ra7lQhfDovLGBW7jR_Rk634D6j1s1IOLj61

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4732-10-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4732-10-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables packed with SmartAssembly 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1384-8-0x0000000004FD0000-0x0000000004FDC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4732-10-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4732-10-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4732-10-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4732-10-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 api.ipify.org
40 api.ipify.org

flow	ioc
39	api.ipify.org
40	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe

description	pid	process	target process
PID 1384 set thread context of 4732	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exeRegSvcs.exepowershell.exe

pid	process
1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe
1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe
4732	RegSvcs.exe
4732	RegSvcs.exe
4732	RegSvcs.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exeRegSvcs.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe
Token: SeDebugPrivilege	4732	RegSvcs.exe
Token: SeDebugPrivilege	2904	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

4732 RegSvcs.exe

pid	process
4732	RegSvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe

description	pid	process	target process
PID 1384 wrote to memory of 2904	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	powershell.exe
PID 1384 wrote to memory of 2904	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	powershell.exe
PID 1384 wrote to memory of 2904	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	powershell.exe
PID 1384 wrote to memory of 936	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	RegSvcs.exe
PID 1384 wrote to memory of 936	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	RegSvcs.exe
PID 1384 wrote to memory of 936	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	RegSvcs.exe
PID 1384 wrote to memory of 4732	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	RegSvcs.exe
PID 1384 wrote to memory of 4732	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	RegSvcs.exe
PID 1384 wrote to memory of 4732	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	RegSvcs.exe
PID 1384 wrote to memory of 4732	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	RegSvcs.exe
PID 1384 wrote to memory of 4732	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	RegSvcs.exe
PID 1384 wrote to memory of 4732	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	RegSvcs.exe
PID 1384 wrote to memory of 4732	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	RegSvcs.exe
PID 1384 wrote to memory of 4732	1384	0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe
"C:\Users\Admin\AppData\Local\Temp\0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8
1⤵
PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwf0hhhg.qj1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1384-14-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/1384-0-0x0000000000280000-0x0000000000342000-memory.dmp

Filesize
776KB

Download
memory/1384-2-0x0000000005300000-0x00000000058A4000-memory.dmp

Filesize
5.6MB

Download
memory/1384-3-0x0000000004D50000-0x0000000004DE2000-memory.dmp

Filesize
584KB

Download
memory/1384-4-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1384-5-0x0000000004EE0000-0x0000000004EEA000-memory.dmp

Filesize
40KB

Download
memory/1384-6-0x0000000005010000-0x00000000050AC000-memory.dmp

Filesize
624KB

Download
memory/1384-7-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/1384-8-0x0000000004FD0000-0x0000000004FDC000-memory.dmp

Filesize
48KB

Download
memory/1384-9-0x0000000006360000-0x00000000063E4000-memory.dmp

Filesize
528KB

Download
memory/1384-1-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/2904-51-0x00000000070E0000-0x00000000070FA000-memory.dmp

Filesize
104KB

Download
memory/2904-36-0x0000000006DD0000-0x0000000006E02000-memory.dmp

Filesize
200KB

Download
memory/2904-16-0x0000000000CD0000-0x0000000000D06000-memory.dmp

Filesize
216KB

Download
memory/2904-15-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/2904-61-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/2904-20-0x0000000005250000-0x0000000005878000-memory.dmp

Filesize
6.2MB

Download
memory/2904-58-0x00000000073F0000-0x00000000073F8000-memory.dmp

Filesize
32KB

Download
memory/2904-18-0x0000000000D90000-0x0000000000DA0000-memory.dmp

Filesize
64KB

Download
memory/2904-21-0x0000000004EE0000-0x0000000004F02000-memory.dmp

Filesize
136KB

Download
memory/2904-22-0x0000000005080000-0x00000000050E6000-memory.dmp

Filesize
408KB

Download
memory/2904-57-0x0000000007410000-0x000000000742A000-memory.dmp

Filesize
104KB

Download
memory/2904-32-0x0000000005980000-0x0000000005CD4000-memory.dmp

Filesize
3.3MB

Download
memory/2904-33-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

Filesize
120KB

Download
memory/2904-34-0x0000000005E70000-0x0000000005EBC000-memory.dmp

Filesize
304KB

Download
memory/2904-35-0x0000000000D90000-0x0000000000DA0000-memory.dmp

Filesize
64KB

Download
memory/2904-13-0x0000000000D90000-0x0000000000DA0000-memory.dmp

Filesize
64KB

Download
memory/2904-37-0x0000000070B00000-0x0000000070B4C000-memory.dmp

Filesize
304KB

Download
memory/2904-47-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/2904-48-0x0000000007010000-0x00000000070B3000-memory.dmp

Filesize
652KB

Download
memory/2904-56-0x0000000007310000-0x0000000007324000-memory.dmp

Filesize
80KB

Download
memory/2904-50-0x0000000007740000-0x0000000007DBA000-memory.dmp

Filesize
6.5MB

Download
memory/2904-55-0x0000000007300000-0x000000000730E000-memory.dmp

Filesize
56KB

Download
memory/2904-52-0x0000000007140000-0x000000000714A000-memory.dmp

Filesize
40KB

Download
memory/2904-53-0x0000000007350000-0x00000000073E6000-memory.dmp

Filesize
600KB

Download
memory/2904-54-0x00000000072D0000-0x00000000072E1000-memory.dmp

Filesize
68KB

Download
memory/4732-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4732-49-0x00000000065F0000-0x0000000006640000-memory.dmp

Filesize
320KB

Download
memory/4732-12-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/4732-19-0x00000000051E0000-0x0000000005246000-memory.dmp

Filesize
408KB

Download
memory/4732-17-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/4732-62-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/4732-63-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads