agenttesla | 5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa

General

Target

5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
Size

753KB
MD5

940f9282615409a27cd72e4bf6ba7b3e
SHA1

1307c4ba274a56c9ca4a95c12e7591df8bb0b642
SHA256

5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa
SHA512

0718e929e984a2bdd30f315d597f4a959194b052fe3ef4648baf34a2e07f812f510f8ee1b9dfccf88e6980ecf042406ee074f1c5cdb4942937cb0d01c4db1162
SSDEEP

12288:9e7dDQ2FUPyf6otLns8trlVT/XL1VQC3TBgltTnqkZQSC+wUoO99OGfFinSvdocy:9OdD3GPyf6otLs8trlJ/XLgCdgTWktE3

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5967521781:AAFM9TWkFoveAFBEBJsmTEG-0oQtcRWcbVE/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs

resource	yara_rule
behavioral2/memory/3764-14-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
behavioral2/memory/3764-14-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/memory/3764-14-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/3764-14-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/3764-14-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/3764-14-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe

Executes dropped EXE 1 IoCs

pid	Process
220	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eVnxs = "C:\\Users\\Admin\\AppData\\Roaming\\eVnxs\\eVnxs.exe"	CasPol.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	api.ipify.org
27	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 220 set thread context of 3764	220	svchost.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2168	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3488	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
3764	CasPol.exe
3764	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
Token: SeDebugPrivilege	220	svchost.exe
Token: SeDebugPrivilege	3764	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3764	CasPol.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1436	1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe	90
PID 1656 wrote to memory of 1436	1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe	90
PID 1656 wrote to memory of 4500	1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe	92
PID 1656 wrote to memory of 4500	1656	5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe	92
PID 4500 wrote to memory of 3488	4500	cmd.exe	94
PID 4500 wrote to memory of 3488	4500	cmd.exe	94
PID 1436 wrote to memory of 2168	1436	cmd.exe	95
PID 1436 wrote to memory of 2168	1436	cmd.exe	95
PID 4500 wrote to memory of 220	4500	cmd.exe	98
PID 4500 wrote to memory of 220	4500	cmd.exe	98
PID 220 wrote to memory of 3764	220	svchost.exe	101
PID 220 wrote to memory of 3764	220	svchost.exe	101
PID 220 wrote to memory of 3764	220	svchost.exe	101
PID 220 wrote to memory of 3764	220	svchost.exe	101
PID 220 wrote to memory of 3764	220	svchost.exe	101
PID 220 wrote to memory of 3764	220	svchost.exe	101
PID 220 wrote to memory of 3764	220	svchost.exe	101
PID 220 wrote to memory of 3764	220	svchost.exe	101
PID 220 wrote to memory of 4128	220	svchost.exe	102
PID 220 wrote to memory of 4128	220	svchost.exe	102
PID 220 wrote to memory of 4128	220	svchost.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe
"C:\Users\Admin\AppData\Local\Temp\5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F4B.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3488
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3764
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      4⤵
      PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3F4B.tmp.bat

Filesize
151B

MD5
25d5172bbeb9dfae40f17f73d91b93bb

SHA1
f0f413499903e53bb9b0c95bfd9bb45d79874d78

SHA256
9611a800977f60d6947e95868c66e48c48d417c8ae1984817255ad9ffc1f4630

SHA512
080104b54c901174ef892e1e94c20c14f422845288eec1d8c6ae94ca19955622d6c1efeaf682faadc48fddabde304d8d3666b60ab23794a17b1e9ee76e47db71

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
753KB

MD5
940f9282615409a27cd72e4bf6ba7b3e

SHA1
1307c4ba274a56c9ca4a95c12e7591df8bb0b642

SHA256
5506f5fb1809f4856d13d6f49f2fc18c6d8698043aac2cf12bd56773361912fa

SHA512
0718e929e984a2bdd30f315d597f4a959194b052fe3ef4648baf34a2e07f812f510f8ee1b9dfccf88e6980ecf042406ee074f1c5cdb4942937cb0d01c4db1162

Download Submit
memory/1656-4-0x000002DE7E2F0000-0x000002DE7E38A000-memory.dmp

Filesize
616KB

Download
memory/1656-1-0x00007FFCAA423000-0x00007FFCAA425000-memory.dmp

Filesize
8KB

Download
memory/1656-3-0x000002DE7E230000-0x000002DE7E25A000-memory.dmp

Filesize
168KB

Download
memory/1656-10-0x00007FFCAA420000-0x00007FFCAAEE1000-memory.dmp

Filesize
10.8MB

Download
memory/1656-2-0x00007FFCAA420000-0x00007FFCAAEE1000-memory.dmp

Filesize
10.8MB

Download
memory/1656-0-0x000002DE63D80000-0x000002DE63DAA000-memory.dmp

Filesize
168KB

Download
memory/3764-15-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/3764-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3764-16-0x0000000004F90000-0x0000000004FF6000-memory.dmp

Filesize
408KB

Download
memory/3764-20-0x0000000006380000-0x000000000641C000-memory.dmp

Filesize
624KB

Download
memory/3764-19-0x0000000006290000-0x00000000062E0000-memory.dmp

Filesize
320KB

Download
memory/3764-21-0x0000000006600000-0x0000000006692000-memory.dmp

Filesize
584KB

Download
memory/3764-22-0x00000000065D0000-0x00000000065DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads