agenttesla | d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee

General

Target

d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
Size

707KB
MD5

5f2b165fb7d86e68285cb69130d446e4
SHA1

137d74a66bb6caf9c363b235cac85fcc14d027fb
SHA256

d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee
SHA512

045fa8f01cda67b48f5cd9d50dfe7269b6d4c18e630a6246a1866fac485ed7ef7aec9e3193f3da6b43ecc3b36416df52d4a3ebf149214742104a940bd2e70049
SSDEEP

12288:XNgLeFR6aglv312Z3yR4ISPfTsoFOhB1YclFbwlg5OPciwaYhJa/IU52WkSD+PRH:rgJ312ZzHWhPYcllwW5qcJ2wU5gSi5r7

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.a2zksa.com
Port:
587
Username:
[email protected]
Password:
]Xw(w^vQ-{^2
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qSLBNg = "C:\\Users\\Admin\\AppData\\Roaming\\qSLBNg\\qSLBNg.exe"	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

40 api.ipify.org
41 api.ipify.org
42 ip-api.com

flow	ioc
40	api.ipify.org
41	api.ipify.org
42	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe

description	pid	process	target process
PID 4200 set thread context of 2640	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2824 schtasks.exe

pid	process
2824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exepowershell.exepowershell.exed6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe

pid	process
4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
3484	powershell.exe
3484	powershell.exe
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
2640	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
2640	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
2640	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
3484	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exepowershell.exepowershell.exed6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe

description	pid	process
Token: SeDebugPrivilege	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	2640	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe

description	pid	process	target process
PID 4200 wrote to memory of 4184	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	powershell.exe
PID 4200 wrote to memory of 4184	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	powershell.exe
PID 4200 wrote to memory of 4184	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	powershell.exe
PID 4200 wrote to memory of 3484	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	powershell.exe
PID 4200 wrote to memory of 3484	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	powershell.exe
PID 4200 wrote to memory of 3484	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	powershell.exe
PID 4200 wrote to memory of 2824	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	schtasks.exe
PID 4200 wrote to memory of 2824	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	schtasks.exe
PID 4200 wrote to memory of 2824	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	schtasks.exe
PID 4200 wrote to memory of 2640	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
PID 4200 wrote to memory of 2640	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
PID 4200 wrote to memory of 2640	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
PID 4200 wrote to memory of 2640	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
PID 4200 wrote to memory of 2640	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
PID 4200 wrote to memory of 2640	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
PID 4200 wrote to memory of 2640	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
PID 4200 wrote to memory of 2640	4200	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe	d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe

C:\Users\Admin\AppData\Local\Temp\d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
"C:\Users\Admin\AppData\Local\Temp\d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hYBnqPTxdBj.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hYBnqPTxdBj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF26E.tmp"
2⤵
- Creates scheduled task(s)
PID:2824

C:\Users\Admin\AppData\Local\Temp\d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe
"C:\Users\Admin\AppData\Local\Temp\d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d6aa040bdb9225a169d8b6efb39e48b5ef16a4e2f2334b2f80c215c603331eee.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
9d9a04ed571bd4f2c1c47df151d50a9d

SHA1
80860a9d25533caac4a5630df471cc48ce0d2f0a

SHA256
177a8a87f9b9a892d8cc798261b885c8ff79d436c00aedbaf7a1462d76a0e3d9

SHA512
410524cd5d71577b1ffadc616ab94f85d1593b336f23f6c0a49217438c22dfe32b0e2e8f7d7049ef70447dbf4d7515a1688745ee9a9e0f71260c660307118cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_whu5ypvk.aoo.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF26E.tmp
Filesize
1KB

MD5
a1e1310026b9cd10194b561d87a167d9

SHA1
217e560f9720600866ebc992fa9a12699603ec25

SHA256
0b7e38b7edd6375beec41b9d3c9e8bd85e02d20a90be67097f4a2333a4201088

SHA512
b1d262b836692b51f3ba74bef5b3db059eabc81d086a92e6f500edf17d744f02c34fd3ced883bfad0ef9f7c8cb50bfbc1716603c9a4cb8b9169f73841e8870ec

Download Submit
memory/2640-49-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2640-95-0x00000000068F0000-0x0000000006940000-memory.dmp

Filesize
320KB

Download
memory/2640-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2640-97-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/2640-96-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/3484-19-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/3484-23-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/3484-66-0x0000000074EC0000-0x0000000074F0C000-memory.dmp

Filesize
304KB

Download
memory/3484-67-0x000000007EE60000-0x000000007EE70000-memory.dmp

Filesize
64KB

Download
memory/3484-93-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/3484-18-0x0000000005700000-0x0000000005722000-memory.dmp

Filesize
136KB

Download
memory/3484-21-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/3484-77-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/3484-20-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/3484-83-0x0000000007D10000-0x0000000007D1E000-memory.dmp

Filesize
56KB

Download
memory/3484-84-0x0000000007D20000-0x0000000007D34000-memory.dmp

Filesize
80KB

Download
memory/3484-85-0x0000000007E20000-0x0000000007E3A000-memory.dmp

Filesize
104KB

Download
memory/3484-86-0x0000000007E00000-0x0000000007E08000-memory.dmp

Filesize
32KB

Download
memory/3484-22-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/4184-17-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/4184-79-0x0000000006E80000-0x0000000006E9A000-memory.dmp

Filesize
104KB

Download
memory/4184-25-0x00000000054F0000-0x0000000005844000-memory.dmp

Filesize
3.3MB

Download
memory/4184-92-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/4184-50-0x0000000005B40000-0x0000000005B5E000-memory.dmp

Filesize
120KB

Download
memory/4184-51-0x00000000060C0000-0x000000000610C000-memory.dmp

Filesize
304KB

Download
memory/4184-53-0x000000007FDF0000-0x000000007FE00000-memory.dmp

Filesize
64KB

Download
memory/4184-54-0x0000000074EC0000-0x0000000074F0C000-memory.dmp

Filesize
304KB

Download
memory/4184-64-0x0000000006110000-0x000000000612E000-memory.dmp

Filesize
120KB

Download
memory/4184-52-0x0000000006B20000-0x0000000006B52000-memory.dmp

Filesize
200KB

Download
memory/4184-65-0x0000000006D60000-0x0000000006E03000-memory.dmp

Filesize
652KB

Download
memory/4184-16-0x0000000004CC0000-0x00000000052E8000-memory.dmp

Filesize
6.2MB

Download
memory/4184-14-0x0000000002250000-0x0000000002286000-memory.dmp

Filesize
216KB

Download
memory/4184-15-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/4184-78-0x00000000074C0000-0x0000000007B3A000-memory.dmp

Filesize
6.5MB

Download
memory/4184-24-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/4184-80-0x0000000006EF0000-0x0000000006EFA000-memory.dmp

Filesize
40KB

Download
memory/4184-81-0x0000000007100000-0x0000000007196000-memory.dmp

Filesize
600KB

Download
memory/4184-82-0x0000000007080000-0x0000000007091000-memory.dmp

Filesize
68KB

Download
memory/4200-0-0x0000000000EC0000-0x0000000000F74000-memory.dmp

Filesize
720KB

Download
memory/4200-9-0x000000000C5F0000-0x000000000C68C000-memory.dmp

Filesize
624KB

Download
memory/4200-8-0x00000000094D0000-0x0000000009556000-memory.dmp

Filesize
536KB

Download
memory/4200-7-0x0000000005E20000-0x0000000005E34000-memory.dmp

Filesize
80KB

Download
memory/4200-6-0x0000000005CD0000-0x0000000005CF0000-memory.dmp

Filesize
128KB

Download
memory/4200-5-0x0000000005B00000-0x0000000005B0A000-memory.dmp

Filesize
40KB

Download
memory/4200-48-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/4200-4-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/4200-3-0x0000000005960000-0x00000000059F2000-memory.dmp

Filesize
584KB

Download
memory/4200-2-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/4200-1-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads