agenttesla | cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe
Size

1.1MB
MD5

b51437afc0839fd9a676a8f597bb7943
SHA1

f92958eff0a0252baaa3bad70f2f9b392ccc5bb9
SHA256

cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877
SHA512

97f736094d97e50c4319925f7e8f8e59d2c14f371b294e9c2a28bc3a7ff2a6395ee04a0b37dcc34c83d46ae6d3ad365fb5e1d5d4b6f1bb92611c27a614cbf3ba
SSDEEP

24576:1KzVtwfumPW2lQxQGFHKj3gBLV/ccVOjEXj39m:1KzVtw2mPB6uj3gL/TOjEBm

Score

10^/10

agenttesla evasion execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp8nl.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs

resource	yara_rule
behavioral1/memory/2500-34-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2500-33-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2500-32-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2500-29-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2500-27-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs

resource	yara_rule
behavioral1/memory/2500-34-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2500-33-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2500-32-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2500-29-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2500-27-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables packed with or use KoiVM 1 IoCs

resource	yara_rule
behavioral1/memory/1576-2-0x000000001A730000-0x000000001A7C6000-memory.dmp	INDICATOR_EXE_Packed_KoiVM

Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs

resource	yara_rule
behavioral1/memory/2500-34-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2500-33-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2500-32-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2500-29-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2500-27-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs

resource	yara_rule
behavioral1/memory/2500-34-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2500-33-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2500-32-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2500-29-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2500-27-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs

resource	yara_rule
behavioral1/memory/2500-34-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2500-33-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2500-32-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2500-29-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2500-27-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs

resource	yara_rule
behavioral1/memory/2500-34-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2500-33-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2500-32-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2500-29-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2500-27-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2644	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
2844	cmd.exe
2844	cmd.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 2500	2728	svchost.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2996	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2476	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1576	cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe
1576	cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe
2644	powershell.exe
2500	AddInProcess32.exe
2500	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe
Token: SeDebugPrivilege	2728	svchost.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2500	AddInProcess32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 2616	1576	cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe	28
PID 1576 wrote to memory of 2616	1576	cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe	28
PID 1576 wrote to memory of 2616	1576	cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe	28
PID 1576 wrote to memory of 2844	1576	cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe	30
PID 1576 wrote to memory of 2844	1576	cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe	30
PID 1576 wrote to memory of 2844	1576	cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe	30
PID 2844 wrote to memory of 2476	2844	cmd.exe	32
PID 2844 wrote to memory of 2476	2844	cmd.exe	32
PID 2844 wrote to memory of 2476	2844	cmd.exe	32
PID 2616 wrote to memory of 2996	2616	cmd.exe	33
PID 2616 wrote to memory of 2996	2616	cmd.exe	33
PID 2616 wrote to memory of 2996	2616	cmd.exe	33
PID 2844 wrote to memory of 2728	2844	cmd.exe	34
PID 2844 wrote to memory of 2728	2844	cmd.exe	34
PID 2844 wrote to memory of 2728	2844	cmd.exe	34
PID 2728 wrote to memory of 2644	2728	svchost.exe	35
PID 2728 wrote to memory of 2644	2728	svchost.exe	35
PID 2728 wrote to memory of 2644	2728	svchost.exe	35
PID 2728 wrote to memory of 2500	2728	svchost.exe	37
PID 2728 wrote to memory of 2500	2728	svchost.exe	37
PID 2728 wrote to memory of 2500	2728	svchost.exe	37
PID 2728 wrote to memory of 2500	2728	svchost.exe	37
PID 2728 wrote to memory of 2500	2728	svchost.exe	37
PID 2728 wrote to memory of 2500	2728	svchost.exe	37
PID 2728 wrote to memory of 2500	2728	svchost.exe	37
PID 2728 wrote to memory of 2500	2728	svchost.exe	37
PID 2728 wrote to memory of 2500	2728	svchost.exe	37
PID 2728 wrote to memory of 1632	2728	svchost.exe	38
PID 2728 wrote to memory of 1632	2728	svchost.exe	38
PID 2728 wrote to memory of 1632	2728	svchost.exe	38

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe
"C:\Users\Admin\AppData\Local\Temp\cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2996
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2868.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2476
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2644
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2500
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2728 -s 760
      4⤵
      Loads dropped DLL
      PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2868.tmp.bat

Filesize
151B

MD5
e0312bb45292de3ca403f5a46db72d03

SHA1
4acdafaa711170e682a94f3c74626781092db466

SHA256
abe12a122b9d69adcc0d4f75312c230fe9b86920430b9a9c24be082ed086cff3

SHA512
431998221ac2a9bc0f59cf246e3898fbe5c25d9f7149fce7172a4370636c1d82aa7411d12981bb0a9c96db4336180cddd914620c5ba4a0a95d51afb138e972b5

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.1MB

MD5
b51437afc0839fd9a676a8f597bb7943

SHA1
f92958eff0a0252baaa3bad70f2f9b392ccc5bb9

SHA256
cfba93a9477e61d500f14818cbdf57308ab79cc2ff29ffb89517859bb57e9877

SHA512
97f736094d97e50c4319925f7e8f8e59d2c14f371b294e9c2a28bc3a7ff2a6395ee04a0b37dcc34c83d46ae6d3ad365fb5e1d5d4b6f1bb92611c27a614cbf3ba

Download Submit
memory/1576-0-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp

Filesize
4KB

Download
memory/1576-1-0x0000000000300000-0x0000000000386000-memory.dmp

Filesize
536KB

Download
memory/1576-2-0x000000001A730000-0x000000001A7C6000-memory.dmp

Filesize
600KB

Download
memory/1576-3-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1576-13-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2500-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-34-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2500-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-35-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2644-36-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2728-18-0x0000000001180000-0x0000000001206000-memory.dmp

Filesize
536KB

Download