agenttesla | aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0

General

Target

aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe
Size

974KB
MD5

8fac5e61273c3395030fd331b536db36
SHA1

7ba5e0f8b6fe94a088c4dd45484f83e2134a54f2
SHA256

aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0
SHA512

e8019cd9023875d491a9b9da8fc1322291b3e473ce168ddf0776ebed9d80354d15a6b0ab4233e90a4840075495950ac85e94d02072c41f3efed3c0892dc3b860
SSDEEP

24576:xRmJkcoQricOIQxiZY1iaSpxt+GY9P1I+1oS:+JZoQrbTFZY1iaSpxtF23Z

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.titan.email
Port:
587
Username:
[email protected]
Password:
business
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs

resource	yara_rule
behavioral2/memory/4072-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
behavioral2/memory/4072-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/memory/4072-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/4072-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/4072-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/4072-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipify.org
14	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3004 set thread context of 4072	3004	aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4072	RegSvcs.exe
4072	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3004	aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4072	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3004	aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe
3004	aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3004	aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe
3004	aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4072	3004	aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe	88
PID 3004 wrote to memory of 4072	3004	aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe	88
PID 3004 wrote to memory of 4072	3004	aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe	88
PID 3004 wrote to memory of 4072	3004	aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe	88

C:\Users\Admin\AppData\Local\Temp\aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe
"C:\Users\Admin\AppData\Local\Temp\aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3004-10-0x0000000000B20000-0x0000000000B24000-memory.dmp

Filesize
16KB

Download
memory/4072-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-12-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4072-13-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/4072-14-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4072-15-0x0000000004F30000-0x0000000004F96000-memory.dmp

Filesize
408KB

Download
memory/4072-16-0x0000000006330000-0x0000000006380000-memory.dmp

Filesize
320KB

Download
memory/4072-17-0x0000000006420000-0x00000000064B2000-memory.dmp

Filesize
584KB

Download
memory/4072-18-0x00000000063A0000-0x00000000063AA000-memory.dmp

Filesize
40KB

Download
memory/4072-19-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4072-20-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing