agenttesla | f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3

General

Target

f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe
Size

1.1MB
MD5

7da1c0d2f867dc5c13343342c118c9c1
SHA1

8d6a7c1236b4ff1755a1be562fc3f10e3fc59521
SHA256

f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3
SHA512

4e6ee2a73b0428b6ac88421a064258343ee3cd562c927ca572d58952649c41c171cef8fa237ad83ac0c295c54c6f0ff3a330caf6b2e2ef773715e31534d23626
SSDEEP

24576:kAHnh+eWsN3skA4RV1Hom2KXMmHa90MpQVb5:zh+ZkldoPK8Ya9n2X

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
premium185.web-hosting.com
Port:
587
Username:
[email protected]
Password:
cooldown2013
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3004-11-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/3004-13-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/3004-15-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3004-11-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/3004-13-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/3004-15-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3004-11-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/3004-13-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/3004-15-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Detects executables referencing Windows vault credential objects. Observed in infostealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3004-11-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/3004-13-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/3004-15-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3004-11-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/3004-13-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/3004-15-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3004-11-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/3004-13-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/3004-15-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3004-11-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/3004-13-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/3004-15-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SzvWIzD = "C:\\Users\\Admin\\AppData\\Roaming\\SzvWIzD\\SzvWIzD.exe"	RegSvcs.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
13 ip-api.com

flow	ioc
4	api.ipify.org
5	api.ipify.org
13	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe

description	pid	process	target process
PID 2884 set thread context of 3004	2884	f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

3004 RegSvcs.exe
3004 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe

pid process

2884 f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 3004 RegSvcs.exe

pid	process
3004	RegSvcs.exe
3004	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3004	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe

pid	process
2884	f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe
2884	f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe

pid	process
2884	f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe
2884	f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe

description	pid	process	target process
PID 2884 wrote to memory of 3004	2884	f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe	RegSvcs.exe
PID 2884 wrote to memory of 3004	2884	f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe	RegSvcs.exe
PID 2884 wrote to memory of 3004	2884	f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe	RegSvcs.exe
PID 2884 wrote to memory of 3004	2884	f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe	RegSvcs.exe
PID 2884 wrote to memory of 3004	2884	f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe	RegSvcs.exe
PID 2884 wrote to memory of 3004	2884	f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe	RegSvcs.exe
PID 2884 wrote to memory of 3004	2884	f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe	RegSvcs.exe
PID 2884 wrote to memory of 3004	2884	f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe
"C:\Users\Admin\AppData\Local\Temp\f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\f0fa44b30e270a00c114bf0045e7619cc680f813f221c4bf86daaab87ab06bb3.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2884-10-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/3004-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-16-0x000000007415E000-0x000000007415F000-memory.dmp

Filesize
4KB

Download
memory/3004-17-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-33-0x000000007415E000-0x000000007415F000-memory.dmp

Filesize
4KB

Download
memory/3004-34-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads