agenttesla | 33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf

General

Target

33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe
Size

1.5MB
MD5

7eedf337a5824379df84a628b5ad12ba
SHA1

e1bbded53262161ce93bd08181ded39c29e7a1e2
SHA256

33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf
SHA512

e5182418670c6803d75d9caa41fc1493a5efcd381f088d21955e795f0f9d37c22774d9258e08a973db94323a73848f08b8c3e40c31cfc9f6fd1705ada1945f43
SSDEEP

24576:CSFHypJqTSpfw3wr9KQdeqJjeAci5wr/hTy3xJVt96qjUXAay/T:qheAtQpTy3zfHUXc

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
terminal4.veeblehosting.com
Port:
587
Username:
[email protected]
Password:
Ifeanyi1987@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-5-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-5-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-5-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Detects executables packed with or use KoiVM 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1780-4-0x000002166EE10000-0x000002166EEA4000-memory.dmp	INDICATOR_EXE_Packed_KoiVM

Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-5-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-5-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-5-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-5-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 ip-api.com

flow	ioc
24	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe

description	pid	process	target process
PID 1780 set thread context of 2016	1780	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	installutil.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

installutil.exe

pid process

2016 installutil.exe
2016 installutil.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

installutil.exe

description pid process

Token: SeDebugPrivilege 2016 installutil.exe

pid	process
2016	installutil.exe
2016	installutil.exe

description	pid	process
Token: SeDebugPrivilege	2016	installutil.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe

description	pid	process	target process
PID 1780 wrote to memory of 2016	1780	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	installutil.exe
PID 1780 wrote to memory of 2016	1780	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	installutil.exe
PID 1780 wrote to memory of 2016	1780	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	installutil.exe
PID 1780 wrote to memory of 2016	1780	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	installutil.exe
PID 1780 wrote to memory of 2016	1780	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	installutil.exe
PID 1780 wrote to memory of 2016	1780	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	installutil.exe
PID 1780 wrote to memory of 2016	1780	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	installutil.exe
PID 1780 wrote to memory of 2016	1780	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	installutil.exe
PID 1780 wrote to memory of 4256	1780	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	installutil.exe
PID 1780 wrote to memory of 4256	1780	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	installutil.exe
PID 1780 wrote to memory of 4256	1780	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	installutil.exe

C:\Users\Admin\AppData\Local\Temp\33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe
"C:\Users\Admin\AppData\Local\Temp\33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
2⤵
PID:4256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1780-0-0x00007FFE98213000-0x00007FFE98215000-memory.dmp

Filesize
8KB

Download
memory/1780-1-0x000002166ECC0000-0x000002166ECD2000-memory.dmp

Filesize
72KB

Download
memory/1780-2-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

Filesize
10.8MB

Download
memory/1780-3-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

Filesize
10.8MB

Download
memory/1780-4-0x000002166EE10000-0x000002166EEA4000-memory.dmp

Filesize
592KB

Download
memory/1780-10-0x00007FFE98210000-0x00007FFE98CD1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-8-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/2016-7-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/2016-6-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/2016-9-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/2016-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2016-11-0x0000000006B40000-0x0000000006B90000-memory.dmp

Filesize
320KB

Download
memory/2016-12-0x0000000006C30000-0x0000000006CC2000-memory.dmp

Filesize
584KB

Download
memory/2016-13-0x0000000006BC0000-0x0000000006BCA000-memory.dmp

Filesize
40KB

Download
memory/2016-14-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/2016-15-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads