agenttesla | 0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae

Analysis

max time kernel
145s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
Size

604KB
MD5

7ddd5227ec23c776e1ad950e60eb37ca
SHA1

7e0c332beb86a7d011e13ede52a77cbfa25740c0
SHA256

0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae
SHA512

08c0d3db1462cbf9961bd0f7ba2dda8eba5f907d742e04453c7f87de17c4b036255d6af66028b1726073db55a068cc7f1eb51e59ff8dbf9c4cd3c1329fb0cba3
SSDEEP

12288:7Simbs5M7iO9sV5+JrfeWJm86J6gBh7ta8oZQPid2j9f:7VmbYMr9sYrWB86J6gfM8oZQc2jR

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp8nl.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4220-13-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4220-13-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables packed with or use KoiVM 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4768-3-0x00000221A1F10000-0x00000221A1FA6000-memory.dmp	INDICATOR_EXE_Packed_KoiVM

Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4220-13-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4220-13-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4220-13-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4220-13-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3596 svchost.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3596	svchost.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3596 set thread context of 4220 3596 svchost.exe regasm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1808 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4668 timeout.exe

description	pid	process	target process
PID 3596 set thread context of 4220	3596	svchost.exe	regasm.exe

pid	process
1808	schtasks.exe

pid	process
4668	timeout.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exepowershell.exeregasm.exe

pid	process
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
1696	powershell.exe
1696	powershell.exe
4220	regasm.exe
4220	regasm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exesvchost.exepowershell.exeregasm.exe

description	pid	process
Token: SeDebugPrivilege	4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
Token: SeDebugPrivilege	3596	svchost.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	4220	regasm.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 4768 wrote to memory of 4888	4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe	cmd.exe
PID 4768 wrote to memory of 4888	4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe	cmd.exe
PID 4768 wrote to memory of 4836	4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe	cmd.exe
PID 4768 wrote to memory of 4836	4768	0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe	cmd.exe
PID 4836 wrote to memory of 4668	4836	cmd.exe	timeout.exe
PID 4836 wrote to memory of 4668	4836	cmd.exe	timeout.exe
PID 4888 wrote to memory of 1808	4888	cmd.exe	schtasks.exe
PID 4888 wrote to memory of 1808	4888	cmd.exe	schtasks.exe
PID 4836 wrote to memory of 3596	4836	cmd.exe	svchost.exe
PID 4836 wrote to memory of 3596	4836	cmd.exe	svchost.exe
PID 3596 wrote to memory of 1696	3596	svchost.exe	powershell.exe
PID 3596 wrote to memory of 1696	3596	svchost.exe	powershell.exe
PID 3596 wrote to memory of 4220	3596	svchost.exe	regasm.exe
PID 3596 wrote to memory of 4220	3596	svchost.exe	regasm.exe
PID 3596 wrote to memory of 4220	3596	svchost.exe	regasm.exe
PID 3596 wrote to memory of 4220	3596	svchost.exe	regasm.exe
PID 3596 wrote to memory of 4220	3596	svchost.exe	regasm.exe
PID 3596 wrote to memory of 4220	3596	svchost.exe	regasm.exe
PID 3596 wrote to memory of 4220	3596	svchost.exe	regasm.exe
PID 3596 wrote to memory of 4220	3596	svchost.exe	regasm.exe
PID 3596 wrote to memory of 2480	3596	svchost.exe	regasm.exe
PID 3596 wrote to memory of 2480	3596	svchost.exe	regasm.exe
PID 3596 wrote to memory of 2480	3596	svchost.exe	regasm.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe
"C:\Users\Admin\AppData\Local\Temp\0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4668

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
4⤵
PID:2480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n0wbensz.gvq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.bat
Filesize
151B

MD5
2c04f0428f074864409e526839cc65d1

SHA1
84cbad9b9eeaabbb6b5f84d6da344921bed06f4e

SHA256
59d60b1a76a1e6c7c581b6a30d22b3cd79c85501a55207de8ae64914819b46c0

SHA512
3e7e2fecdb6e5d884a2cf5744d521ad7bb8e2307b55c96cb8b0ac31e8b12f2862095365c6d151f2ee3b178b500731f792574b5b1d7dae53e23b81018ae99db76

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
604KB

MD5
7ddd5227ec23c776e1ad950e60eb37ca

SHA1
7e0c332beb86a7d011e13ede52a77cbfa25740c0

SHA256
0d23cb796416bcf04260bdf9d1eef9300de08fff1da13a181c57d065d98bdfae

SHA512
08c0d3db1462cbf9961bd0f7ba2dda8eba5f907d742e04453c7f87de17c4b036255d6af66028b1726073db55a068cc7f1eb51e59ff8dbf9c4cd3c1329fb0cba3

Download Submit
memory/1696-14-0x00000198A40F0000-0x00000198A4112000-memory.dmp

Filesize
136KB

Download
memory/4220-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-24-0x0000000005800000-0x0000000005DA4000-memory.dmp

Filesize
5.6MB

Download
memory/4220-25-0x00000000051D0000-0x0000000005236000-memory.dmp

Filesize
408KB

Download
memory/4220-28-0x0000000005F00000-0x0000000005F50000-memory.dmp

Filesize
320KB

Download
memory/4220-29-0x0000000006150000-0x00000000061E2000-memory.dmp

Filesize
584KB

Download
memory/4220-30-0x0000000005F50000-0x0000000005F5A000-memory.dmp

Filesize
40KB

Download
memory/4768-3-0x00000221A1F10000-0x00000221A1FA6000-memory.dmp

Filesize
600KB

Download
memory/4768-2-0x00000221A1FD0000-0x00000221A1FE0000-memory.dmp

Filesize
64KB

Download
memory/4768-9-0x00007FFCCA320000-0x00007FFCCADE1000-memory.dmp

Filesize
10.8MB

Download
memory/4768-0-0x0000022187AB0000-0x0000022187ABA000-memory.dmp

Filesize
40KB

Download
memory/4768-1-0x00007FFCCA320000-0x00007FFCCADE1000-memory.dmp

Filesize
10.8MB

Download