agenttesla | 7c0623d283f1d10a1495e895ffd1924089db69442ceeee280a21f4bedeef5b5c

General

Target

FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe
Size

343KB
MD5

c76efdb4e5635149c1b497d97a4f6705
SHA1

ae650c66fbd30e7b2f82e00b05f144327855a242
SHA256

8c25cf13e11a0e70496fd6b29c06791d67e88fac769bbc01b246f6b9185d01ec
SHA512

449015833804ab73f3ec1a31b6398ee5e732ca2130a2a3478fc3a04d1472a070e8adf1c2416889a6696814d46078946a95677bdb596e974a1a32d4bb48006a8f
SSDEEP

6144:zQYp57TecLU2TK+yo8wtWrC9XhRNnDRW5fZiIjQmlLE5AtWY1ef+Cs:V7acU2eFo8wgWxRnlW5YVmlLXrd

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://discordapp.com/api/webhooks/1229525528889786609/tOVMO5Z_M4BA48Kk7Vwyiyo80wiXk4VHzcMKDBdjj1I0tjfpqTfl5EWKQHiVRMHeN6XR

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe"	FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	api.ipify.org
38	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 3244	1988	FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3244	FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe
3244	FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3244	FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3244	FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 3244	1988	FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe	90
PID 1988 wrote to memory of 3244	1988	FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe	90
PID 1988 wrote to memory of 3244	1988	FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe	90
PID 1988 wrote to memory of 3244	1988	FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe	90
PID 1988 wrote to memory of 3244	1988	FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe	90
PID 1988 wrote to memory of 3244	1988	FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe	90
PID 1988 wrote to memory of 3244	1988	FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe	90
PID 1988 wrote to memory of 3244	1988	FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe	90

C:\Users\Admin\AppData\Local\Temp\FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe
"C:\Users\Admin\AppData\Local\Temp\FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe
  "C:\Users\Admin\AppData\Local\Temp\FACTURA DE CRÉDITO E_Ecr_000800000108 (1)..exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1988-12-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/1988-0-0x0000000000BA0000-0x0000000000BFC000-memory.dmp

Filesize
368KB

Download
memory/1988-2-0x0000000005C00000-0x00000000061A4000-memory.dmp

Filesize
5.6MB

Download
memory/1988-3-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/1988-4-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/1988-5-0x0000000005630000-0x000000000563A000-memory.dmp

Filesize
40KB

Download
memory/1988-6-0x00000000057F0000-0x0000000005846000-memory.dmp

Filesize
344KB

Download
memory/1988-7-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/1988-1-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3244-9-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3244-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3244-11-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/3244-10-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download
memory/3244-15-0x0000000006E80000-0x0000000006ED0000-memory.dmp

Filesize
320KB

Download
memory/3244-16-0x0000000006F70000-0x000000000700C000-memory.dmp

Filesize
624KB

Download
memory/3244-17-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3244-18-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads