agenttesla | 5ef54546f5fa8df146ad0f61c94bf08391c5ae1ffc7ae78a291624e70655b363

General

Target

b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe
Size

660KB
MD5

818c1d4d7b71a802240c5b04010c0929
SHA1

21ab4b40707da5ccdadf53c37458cc5b5ea674a7
SHA256

b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a
SHA512

fb4e9f6eb2b8b4e1f5e9e3b332a3bc40297f69924c60c052632e68ba44e666c2ceea9b5dc2b6aeb0125ebb03b722e5b1668c8ad90618e0a2e96e2c892584892a
SSDEEP

12288:aH2iNlw09szFS6U2/fdkuj+JvDUPXn1+hVh7ziEy27/MxC1GKuMDwK5J8XVhB+g:01XKC2XdLj+JLSX1kEE/M4wK/wK5qVH9

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.oceanskylogistics.in
Port:
587
Username:
[email protected]
Password:
Oce@n@1234
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JLfew = "C:\\Users\\Admin\\AppData\\Roaming\\JLfew\\JLfew.exe"	RegSvcs.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 api.ipify.org
44 api.ipify.org

flow	ioc
43	api.ipify.org
44	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe

description	pid	process	target process
PID 3356 set thread context of 940	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2492 schtasks.exe

pid	process
2492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exeRegSvcs.exe

pid	process
3532	powershell.exe
3532	powershell.exe
4392	powershell.exe
4392	powershell.exe
940	RegSvcs.exe
940	RegSvcs.exe
940	RegSvcs.exe
3532	powershell.exe
4392	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 3532 powershell.exe
Token: SeDebugPrivilege 4392 powershell.exe
Token: SeDebugPrivilege 940 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	940	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe

description	pid	process	target process
PID 3356 wrote to memory of 4392	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	powershell.exe
PID 3356 wrote to memory of 4392	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	powershell.exe
PID 3356 wrote to memory of 4392	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	powershell.exe
PID 3356 wrote to memory of 3532	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	powershell.exe
PID 3356 wrote to memory of 3532	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	powershell.exe
PID 3356 wrote to memory of 3532	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	powershell.exe
PID 3356 wrote to memory of 2492	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	schtasks.exe
PID 3356 wrote to memory of 2492	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	schtasks.exe
PID 3356 wrote to memory of 2492	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	schtasks.exe
PID 3356 wrote to memory of 940	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	RegSvcs.exe
PID 3356 wrote to memory of 940	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	RegSvcs.exe
PID 3356 wrote to memory of 940	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	RegSvcs.exe
PID 3356 wrote to memory of 940	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	RegSvcs.exe
PID 3356 wrote to memory of 940	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	RegSvcs.exe
PID 3356 wrote to memory of 940	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	RegSvcs.exe
PID 3356 wrote to memory of 940	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	RegSvcs.exe
PID 3356 wrote to memory of 940	3356	b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe
"C:\Users\Admin\AppData\Local\Temp\b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uJJKThDIVHPLhE.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uJJKThDIVHPLhE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64A1.tmp"
2⤵
- Creates scheduled task(s)
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3484 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:3656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_44x4mp3k.gnd.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64A1.tmp
Filesize
1KB

MD5
8e313d9b3a51ef4df96973e580b518c2

SHA1
411fc7468d31b4623d4019c116114eda58011255

SHA256
06a8a9c038fe5f8f51b15a638c144bd73879c27ddeb1cee3cafc6bba95aa3f41

SHA512
caddf5ad20d02edda07678ae1dca337f8cfcd398e1841aa7508597cadff1dd8a039a791686c8094867b40806988801fcb091f29f2b870a6dfba0809718d8036f

Download Submit
memory/940-30-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/940-25-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/940-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/940-87-0x0000000006560000-0x00000000065B0000-memory.dmp

Filesize
320KB

Download
memory/940-95-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/940-96-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/3356-10-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3356-9-0x00000000060B0000-0x0000000006134000-memory.dmp

Filesize
528KB

Download
memory/3356-8-0x0000000004C60000-0x0000000004C6C000-memory.dmp

Filesize
48KB

Download
memory/3356-12-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3356-7-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3356-6-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

Filesize
624KB

Download
memory/3356-5-0x0000000004AE0000-0x0000000004AEA000-memory.dmp

Filesize
40KB

Download
memory/3356-0-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3356-4-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3356-29-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3356-3-0x0000000004B40000-0x0000000004BD2000-memory.dmp

Filesize
584KB

Download
memory/3356-2-0x0000000005050000-0x00000000055F4000-memory.dmp

Filesize
5.6MB

Download
memory/3356-1-0x0000000000030000-0x00000000000DA000-memory.dmp

Filesize
680KB

Download
memory/3532-84-0x0000000006370000-0x000000000637A000-memory.dmp

Filesize
40KB

Download
memory/3532-99-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3532-26-0x0000000004F20000-0x0000000004F42000-memory.dmp

Filesize
136KB

Download
memory/3532-21-0x0000000005120000-0x0000000005748000-memory.dmp

Filesize
6.2MB

Download
memory/3532-28-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/3532-20-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/3532-41-0x00000000058B0000-0x0000000005C04000-memory.dmp

Filesize
3.3MB

Download
memory/3532-50-0x0000000004CA0000-0x0000000004CBE000-memory.dmp

Filesize
120KB

Download
memory/3532-51-0x0000000005F40000-0x0000000005F8C000-memory.dmp

Filesize
304KB

Download
memory/3532-82-0x00000000078D0000-0x0000000007F4A000-memory.dmp

Filesize
6.5MB

Download
memory/3532-92-0x0000000007470000-0x0000000007484000-memory.dmp

Filesize
80KB

Download
memory/3532-54-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/3532-90-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/3532-56-0x000000007F930000-0x000000007F940000-memory.dmp

Filesize
64KB

Download
memory/3532-86-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3532-58-0x00000000708D0000-0x000000007091C000-memory.dmp

Filesize
304KB

Download
memory/3532-69-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/3532-19-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3532-79-0x0000000006FA0000-0x0000000007043000-memory.dmp

Filesize
652KB

Download
memory/4392-53-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/4392-81-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/4392-83-0x0000000007D30000-0x0000000007D4A000-memory.dmp

Filesize
104KB

Download
memory/4392-68-0x00000000708D0000-0x000000007091C000-memory.dmp

Filesize
304KB

Download
memory/4392-85-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/4392-57-0x0000000006FE0000-0x0000000007012000-memory.dmp

Filesize
200KB

Download
memory/4392-17-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/4392-88-0x0000000007FB0000-0x0000000008046000-memory.dmp

Filesize
600KB

Download
memory/4392-89-0x0000000007F30000-0x0000000007F41000-memory.dmp

Filesize
68KB

Download
memory/4392-55-0x000000007F510000-0x000000007F520000-memory.dmp

Filesize
64KB

Download
memory/4392-91-0x0000000007FA0000-0x0000000007FAE000-memory.dmp

Filesize
56KB

Download
memory/4392-27-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/4392-93-0x00000000080F0000-0x000000000810A000-memory.dmp

Filesize
104KB

Download
memory/4392-94-0x00000000080D0000-0x00000000080D8000-memory.dmp

Filesize
32KB

Download
memory/4392-15-0x0000000005460000-0x0000000005496000-memory.dmp

Filesize
216KB

Download
memory/4392-14-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4392-52-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4392-100-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads