agenttesla | 191bbf637696ece59a72a105bdcd7f9e175309fff88acc612c353cef8cdf5234

General

Target

purchase order T&B19-20PO128.exe
Size

712KB
MD5

cb557a97949c50fc133f4d58537ddc44
SHA1

b46e14c0325e0b1419e6df97b20803eeb92a55b4
SHA256

d967ab9c69606d614df05823f3fcb76d436dbda3f1306db4d132acbda8aa8cb5
SHA512

91d5abcc7199c36eb89cc1a3536fb0ba633fa96f2743d7461d1b48a37f5e09974f05600b7d50cf8961dfcf414b6025ae4a14c0c500c6d5749d778e3a4650feb6
SSDEEP

12288:zrXYMjhvPie/rByY77777777777774HOE+aEz+dbZjghmi8+NEaIa0lPhcPIuRiU:3YMFniyyVufcbRg/I5PhcwuRiFtq5630

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.clslk.com
Port:
587
Username:
[email protected]
Password:
NUZRATHinam1978
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs

resource	yara_rule
behavioral1/memory/2412-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2412-30-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2412-29-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2412-25-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2412-23-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs

resource	yara_rule
behavioral1/memory/2412-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2412-30-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2412-29-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2412-25-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2412-23-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs

resource	yara_rule
behavioral1/memory/2412-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2412-30-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2412-29-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2412-25-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2412-23-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs

resource	yara_rule
behavioral1/memory/2412-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2412-30-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2412-29-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2412-25-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2412-23-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs

resource	yara_rule
behavioral1/memory/2412-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2412-30-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2412-29-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2412-25-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2412-23-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs

resource	yara_rule
behavioral1/memory/2412-28-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2412-30-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2412-29-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2412-25-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2412-23-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2548	powershell.exe
3068	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 996 set thread context of 2412	996	purchase order T&B19-20PO128.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
996	purchase order T&B19-20PO128.exe
996	purchase order T&B19-20PO128.exe
996	purchase order T&B19-20PO128.exe
996	purchase order T&B19-20PO128.exe
2412	RegSvcs.exe
2412	RegSvcs.exe
2548	powershell.exe
3068	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	996	purchase order T&B19-20PO128.exe
Token: SeDebugPrivilege	2412	RegSvcs.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 2548	996	purchase order T&B19-20PO128.exe	28
PID 996 wrote to memory of 2548	996	purchase order T&B19-20PO128.exe	28
PID 996 wrote to memory of 2548	996	purchase order T&B19-20PO128.exe	28
PID 996 wrote to memory of 2548	996	purchase order T&B19-20PO128.exe	28
PID 996 wrote to memory of 3068	996	purchase order T&B19-20PO128.exe	30
PID 996 wrote to memory of 3068	996	purchase order T&B19-20PO128.exe	30
PID 996 wrote to memory of 3068	996	purchase order T&B19-20PO128.exe	30
PID 996 wrote to memory of 3068	996	purchase order T&B19-20PO128.exe	30
PID 996 wrote to memory of 2712	996	purchase order T&B19-20PO128.exe	31
PID 996 wrote to memory of 2712	996	purchase order T&B19-20PO128.exe	31
PID 996 wrote to memory of 2712	996	purchase order T&B19-20PO128.exe	31
PID 996 wrote to memory of 2712	996	purchase order T&B19-20PO128.exe	31
PID 996 wrote to memory of 2412	996	purchase order T&B19-20PO128.exe	34
PID 996 wrote to memory of 2412	996	purchase order T&B19-20PO128.exe	34
PID 996 wrote to memory of 2412	996	purchase order T&B19-20PO128.exe	34
PID 996 wrote to memory of 2412	996	purchase order T&B19-20PO128.exe	34
PID 996 wrote to memory of 2412	996	purchase order T&B19-20PO128.exe	34
PID 996 wrote to memory of 2412	996	purchase order T&B19-20PO128.exe	34
PID 996 wrote to memory of 2412	996	purchase order T&B19-20PO128.exe	34
PID 996 wrote to memory of 2412	996	purchase order T&B19-20PO128.exe	34
PID 996 wrote to memory of 2412	996	purchase order T&B19-20PO128.exe	34
PID 996 wrote to memory of 2412	996	purchase order T&B19-20PO128.exe	34
PID 996 wrote to memory of 2412	996	purchase order T&B19-20PO128.exe	34
PID 996 wrote to memory of 2412	996	purchase order T&B19-20PO128.exe	34

C:\Users\Admin\AppData\Local\Temp\purchase order T&B19-20PO128.exe
"C:\Users\Admin\AppData\Local\Temp\purchase order T&B19-20PO128.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\purchase order T&B19-20PO128.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lRlzknDDQQAND.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lRlzknDDQQAND" /XML "C:\Users\Admin\AppData\Local\Temp\tmp695D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp695D.tmp

Filesize
1KB

MD5
ae1c34a12430291d2b7b577df59fe439

SHA1
bfc0e60e4697f27ee6577318c7e8ba9f8a95f8b3

SHA256
c2d70767d667fa78d9d359ec93cd639ef14c2a3ec22739894c117916acb6f7a4

SHA512
4235f193950d0e05a9b37b79e79b219955601c308688363f2059f977b2e10706b5354d770929b8068ac88d14273e0d131324222fb2b1aeefc55b22b8bdda80d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
72dae91c6cfb6c965fa1627855976f3d

SHA1
3248c9cf01b70d30dde1fba35ce467d0d4af7804

SHA256
57a5ef021b1fc363fcf75d36970e011d05ac751cf965ec5878f7434424d1fdc5

SHA512
3949785878d0619b767ae7c0f421e148c911c7a38ce0281f41333d981e04af44f6ab6f2ad542befe69759dad44e0ac1675bef7cf7b53239c83ab0ac177a3be73

Download Submit
memory/996-4-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/996-31-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/996-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/996-5-0x00000000007B0000-0x00000000007C6000-memory.dmp

Filesize
88KB

Download
memory/996-6-0x0000000005240000-0x00000000052C4000-memory.dmp

Filesize
528KB

Download
memory/996-2-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/996-1-0x0000000001160000-0x0000000001216000-memory.dmp

Filesize
728KB

Download
memory/996-3-0x0000000000770000-0x0000000000790000-memory.dmp

Filesize
128KB

Download
memory/2412-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2412-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads