agenttesla | afa6c3d7ad8dd1549ebfc7ba04328b301b080aa20531b9a522bf954f680a1709

General

Target

BARSYL SHIPPING Co (VIETNAM).exe
Size

669KB
MD5

5385333a8618dac516b8b33b0bbf11a1
SHA1

3a1171327abe7aefeb85914afae6ec6c8bfbe6e0
SHA256

6c06c665c435cf95787310f59e984006711d50bf091ae610cb4440abae1448c4
SHA512

0392fd0fc5f79b8c19655d279e882bf7cd83a4d841d1bf1f1845997396368734866f47d06c19fa0da48ecc305d2113611f65153e07ff6aae0c99a8137e9e3cea
SSDEEP

12288:x4WzE3RYDR05N+rTd2/6pjhHyKj1jb9WKhsq9Q/V8pekTGzd2S96QKNe:1WR03BAWj0Kj17YV8petwsK

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.starmech.net
Port:
587
Username:
[email protected]
Password:
nics123
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\BjTxJte = "C:\\Users\\Admin\\AppData\\Roaming\\BjTxJte\\BjTxJte.exe"	RegSvcs.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

BARSYL SHIPPING Co (VIETNAM).exe

description pid process target process

PID 1640 set thread context of 2512 1640 BARSYL SHIPPING Co (VIETNAM).exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2928 schtasks.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 1640 set thread context of 2512	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe

pid	process
2928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

BARSYL SHIPPING Co (VIETNAM).exepowershell.exepowershell.exeRegSvcs.exe

pid	process
1640	BARSYL SHIPPING Co (VIETNAM).exe
2912	powershell.exe
2872	powershell.exe
1640	BARSYL SHIPPING Co (VIETNAM).exe
1640	BARSYL SHIPPING Co (VIETNAM).exe
1640	BARSYL SHIPPING Co (VIETNAM).exe
2512	RegSvcs.exe
2512	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

BARSYL SHIPPING Co (VIETNAM).exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1640	BARSYL SHIPPING Co (VIETNAM).exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2512	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

2512 RegSvcs.exe

pid	process
2512	RegSvcs.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

BARSYL SHIPPING Co (VIETNAM).exe

description	pid	process	target process
PID 1640 wrote to memory of 2872	1640	BARSYL SHIPPING Co (VIETNAM).exe	powershell.exe
PID 1640 wrote to memory of 2872	1640	BARSYL SHIPPING Co (VIETNAM).exe	powershell.exe
PID 1640 wrote to memory of 2872	1640	BARSYL SHIPPING Co (VIETNAM).exe	powershell.exe
PID 1640 wrote to memory of 2872	1640	BARSYL SHIPPING Co (VIETNAM).exe	powershell.exe
PID 1640 wrote to memory of 2912	1640	BARSYL SHIPPING Co (VIETNAM).exe	powershell.exe
PID 1640 wrote to memory of 2912	1640	BARSYL SHIPPING Co (VIETNAM).exe	powershell.exe
PID 1640 wrote to memory of 2912	1640	BARSYL SHIPPING Co (VIETNAM).exe	powershell.exe
PID 1640 wrote to memory of 2912	1640	BARSYL SHIPPING Co (VIETNAM).exe	powershell.exe
PID 1640 wrote to memory of 2928	1640	BARSYL SHIPPING Co (VIETNAM).exe	schtasks.exe
PID 1640 wrote to memory of 2928	1640	BARSYL SHIPPING Co (VIETNAM).exe	schtasks.exe
PID 1640 wrote to memory of 2928	1640	BARSYL SHIPPING Co (VIETNAM).exe	schtasks.exe
PID 1640 wrote to memory of 2928	1640	BARSYL SHIPPING Co (VIETNAM).exe	schtasks.exe
PID 1640 wrote to memory of 2540	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2540	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2540	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2540	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2540	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2540	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2540	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2512	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2512	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2512	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2512	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2512	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2512	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2512	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2512	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2512	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2512	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2512	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe
PID 1640 wrote to memory of 2512	1640	BARSYL SHIPPING Co (VIETNAM).exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\BARSYL SHIPPING Co (VIETNAM).exe
"C:\Users\Admin\AppData\Local\Temp\BARSYL SHIPPING Co (VIETNAM).exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BARSYL SHIPPING Co (VIETNAM).exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wpvgIECypA.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wpvgIECypA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD8A3.tmp"
2⤵
- Creates scheduled task(s)
PID:2928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD8A3.tmp
Filesize
1KB

MD5
fa15ffbfa63fe0e6c388bca2a1fe55c8

SHA1
73aace0a423991f0140b0e6e85b3b0826f891a73

SHA256
8a9843a29291516c4ee2e4caa7cbd429f87c47f5065f841a5b7b773d918bd337

SHA512
e9c0ef762ee7472ea11ed3a5cccaab8496b7a72f2f97c5e29ce1f8d404c7c1ee67b878e0220332f5d74793370ef8eeb5af14d9e888d8874346868b2d5049ce72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
06b8f1167c722111f03aae2a544816c3

SHA1
636b45f0ee84daa37850c0348aa098ec254c6143

SHA256
b1c4e8b4044b17bc069e6d1c888a620cacb06370bb315ee5e06fb21c739d2f1d

SHA512
5e54e6c1b0f707622152ffba805d88f695c749a6d5a6b79f827a53193d60c857bca4b54451a3dcc4238176a8f9a3ac13ba7f56841b7da5b9607ab30a7fd14b09

Download Submit
memory/1640-0-0x00000000013D0000-0x000000000147E000-memory.dmp

Filesize
696KB

Download
memory/1640-1-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/1640-2-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/1640-3-0x0000000004FC0000-0x000000000505E000-memory.dmp

Filesize
632KB

Download
memory/1640-4-0x00000000004F0000-0x0000000000508000-memory.dmp

Filesize
96KB

Download
memory/1640-6-0x0000000000530000-0x0000000000544000-memory.dmp

Filesize
80KB

Download
memory/1640-5-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/1640-7-0x0000000000380000-0x0000000000404000-memory.dmp

Filesize
528KB

Download
memory/1640-45-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2512-42-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-38-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-52-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/2512-51-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2512-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2512-47-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/2512-46-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2512-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2872-25-0x000000006DE80000-0x000000006E42B000-memory.dmp

Filesize
5.7MB

Download
memory/2872-28-0x0000000001E70000-0x0000000001EB0000-memory.dmp

Filesize
256KB

Download
memory/2872-36-0x0000000001E70000-0x0000000001EB0000-memory.dmp

Filesize
256KB

Download
memory/2872-37-0x0000000001E70000-0x0000000001EB0000-memory.dmp

Filesize
256KB

Download
memory/2872-49-0x000000006DE80000-0x000000006E42B000-memory.dmp

Filesize
5.7MB

Download
memory/2872-32-0x000000006DE80000-0x000000006E42B000-memory.dmp

Filesize
5.7MB

Download
memory/2912-39-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2912-41-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2912-20-0x000000006DE80000-0x000000006E42B000-memory.dmp

Filesize
5.7MB

Download
memory/2912-34-0x000000006DE80000-0x000000006E42B000-memory.dmp

Filesize
5.7MB

Download
memory/2912-48-0x000000006DE80000-0x000000006E42B000-memory.dmp

Filesize
5.7MB

Download
memory/2912-29-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads