agenttesla | 9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4

General

Target

9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe
Size

613KB
MD5

b32eb4a8fe11ff1285c91012101a6b1c
SHA1

323ef8a89c0818681b876e9dd38a766a7ff7ea9c
SHA256

9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4
SHA512

58f4c116b178e438682bb4c70ec780863b8fdac10327c472160b7bb14c864448070862728a8b9f53fc827c018e418937d7999f6267b9b7cb2e69f20e0629dc15
SSDEEP

12288:YpqoRGAfwtAerE0Sz+lT6jkdznt7sKNVFyinAfQdpTQlefYdtm68ZqV4:4RGcwGMmz+dpzn1E7fQd1IefYqqV4

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp8nl.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2724 svchost.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

2908 cmd.exe
1192 WerFault.exe
1192 WerFault.exe
1192 WerFault.exe
1192 WerFault.exe
1192 WerFault.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

pid	process
2724	svchost.exe

pid	process
2908	cmd.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe
1192	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2724 set thread context of 1900 2724 svchost.exe installutil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2120 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2752 timeout.exe

description	pid	process	target process
PID 2724 set thread context of 1900	2724	svchost.exe	installutil.exe

pid	process
2120	schtasks.exe

pid	process
2752	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exepowershell.exeinstallutil.exe

pid	process
2700	9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe
2700	9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe
2700	9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe
2496	powershell.exe
1900	installutil.exe
1900	installutil.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exesvchost.exepowershell.exeinstallutil.exe

description	pid	process
Token: SeDebugPrivilege	2700	9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe
Token: SeDebugPrivilege	2724	svchost.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1900	installutil.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 2700 wrote to memory of 2632	2700	9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe	cmd.exe
PID 2700 wrote to memory of 2632	2700	9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe	cmd.exe
PID 2700 wrote to memory of 2632	2700	9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe	cmd.exe
PID 2700 wrote to memory of 2908	2700	9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe	cmd.exe
PID 2700 wrote to memory of 2908	2700	9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe	cmd.exe
PID 2700 wrote to memory of 2908	2700	9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe	cmd.exe
PID 2632 wrote to memory of 2120	2632	cmd.exe	schtasks.exe
PID 2632 wrote to memory of 2120	2632	cmd.exe	schtasks.exe
PID 2632 wrote to memory of 2120	2632	cmd.exe	schtasks.exe
PID 2908 wrote to memory of 2752	2908	cmd.exe	timeout.exe
PID 2908 wrote to memory of 2752	2908	cmd.exe	timeout.exe
PID 2908 wrote to memory of 2752	2908	cmd.exe	timeout.exe
PID 2908 wrote to memory of 2724	2908	cmd.exe	svchost.exe
PID 2908 wrote to memory of 2724	2908	cmd.exe	svchost.exe
PID 2908 wrote to memory of 2724	2908	cmd.exe	svchost.exe
PID 2724 wrote to memory of 2496	2724	svchost.exe	powershell.exe
PID 2724 wrote to memory of 2496	2724	svchost.exe	powershell.exe
PID 2724 wrote to memory of 2496	2724	svchost.exe	powershell.exe
PID 2724 wrote to memory of 2288	2724	svchost.exe	regsvcs.exe
PID 2724 wrote to memory of 2288	2724	svchost.exe	regsvcs.exe
PID 2724 wrote to memory of 2288	2724	svchost.exe	regsvcs.exe
PID 2724 wrote to memory of 2288	2724	svchost.exe	regsvcs.exe
PID 2724 wrote to memory of 2288	2724	svchost.exe	regsvcs.exe
PID 2724 wrote to memory of 2288	2724	svchost.exe	regsvcs.exe
PID 2724 wrote to memory of 2288	2724	svchost.exe	regsvcs.exe
PID 2724 wrote to memory of 1900	2724	svchost.exe	installutil.exe
PID 2724 wrote to memory of 1900	2724	svchost.exe	installutil.exe
PID 2724 wrote to memory of 1900	2724	svchost.exe	installutil.exe
PID 2724 wrote to memory of 1900	2724	svchost.exe	installutil.exe
PID 2724 wrote to memory of 1900	2724	svchost.exe	installutil.exe
PID 2724 wrote to memory of 1900	2724	svchost.exe	installutil.exe
PID 2724 wrote to memory of 1900	2724	svchost.exe	installutil.exe
PID 2724 wrote to memory of 1900	2724	svchost.exe	installutil.exe
PID 2724 wrote to memory of 1900	2724	svchost.exe	installutil.exe
PID 2724 wrote to memory of 1900	2724	svchost.exe	installutil.exe
PID 2724 wrote to memory of 1900	2724	svchost.exe	installutil.exe
PID 2724 wrote to memory of 1900	2724	svchost.exe	installutil.exe
PID 2724 wrote to memory of 1192	2724	svchost.exe	WerFault.exe
PID 2724 wrote to memory of 1192	2724	svchost.exe	WerFault.exe
PID 2724 wrote to memory of 1192	2724	svchost.exe	WerFault.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe
"C:\Users\Admin\AppData\Local\Temp\9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC8E.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2752

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
4⤵
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2724 -s 868
4⤵
- Loads dropped DLL
PID:1192

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC8E.tmp.bat
Filesize
150B

MD5
a4db57d7b29fda08b7d7ce4ed0503f23

SHA1
7b21cb31febcf9e9a358a3559890f926d0377145

SHA256
a72b71993c050f4c1feaeb2584547438331e419e7a7c939564143db0ab235ac8

SHA512
f8118bd95d2835e6106f113d25ca66b64e4803285a2385a8da0fff6d774c3f517e8f1b96ea666793228099be44e51a302778f55cc9c9c3945331e5a1f5fe1341

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
613KB

MD5
b32eb4a8fe11ff1285c91012101a6b1c

SHA1
323ef8a89c0818681b876e9dd38a766a7ff7ea9c

SHA256
9c4fc8863b69831ba6b261d813788cd49677c2f02fe9c82ad8426141cd326ef4

SHA512
58f4c116b178e438682bb4c70ec780863b8fdac10327c472160b7bb14c864448070862728a8b9f53fc827c018e418937d7999f6267b9b7cb2e69f20e0629dc15

Download Submit
memory/1900-53-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/1900-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-56-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/1900-46-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-57-0x0000000004A10000-0x0000000004A50000-memory.dmp

Filesize
256KB

Download
memory/1900-44-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-42-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1900-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-35-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-29-0x000007FEED670000-0x000007FEEE00D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-51-0x000007FEED670000-0x000007FEEE00D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-30-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2496-31-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2496-26-0x000007FEED670000-0x000007FEEE00D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-27-0x0000000002880000-0x0000000002888000-memory.dmp

Filesize
32KB

Download
memory/2496-34-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2496-28-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2496-25-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2700-13-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-0-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2700-3-0x0000000001FE0000-0x0000000002076000-memory.dmp

Filesize
600KB

Download
memory/2700-2-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2700-1-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-20-0x000000001A6D0000-0x000000001A750000-memory.dmp

Filesize
512KB

Download
memory/2724-19-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-18-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2724-54-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-55-0x000000001A6D0000-0x000000001A750000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads