agenttesla | 33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf

General

Target

33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe
Size

1.5MB
MD5

7eedf337a5824379df84a628b5ad12ba
SHA1

e1bbded53262161ce93bd08181ded39c29e7a1e2
SHA256

33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf
SHA512

e5182418670c6803d75d9caa41fc1493a5efcd381f088d21955e795f0f9d37c22774d9258e08a973db94323a73848f08b8c3e40c31cfc9f6fd1705ada1945f43
SSDEEP

24576:CSFHypJqTSpfw3wr9KQdeqJjeAci5wr/hTy3xJVt96qjUXAay/T:qheAtQpTy3zfHUXc

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
terminal4.veeblehosting.com
Port:
587
Username:
[email protected]
Password:
Ifeanyi1987@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe

description	pid	process	target process
PID 2152 set thread context of 300	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	regsvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvcs.exe

pid process

300 regsvcs.exe
300 regsvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

regsvcs.exe

description pid process

Token: SeDebugPrivilege 300 regsvcs.exe

pid	process
300	regsvcs.exe
300	regsvcs.exe

description	pid	process
Token: SeDebugPrivilege	300	regsvcs.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe

description	pid	process	target process
PID 2152 wrote to memory of 300	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	regsvcs.exe
PID 2152 wrote to memory of 300	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	regsvcs.exe
PID 2152 wrote to memory of 300	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	regsvcs.exe
PID 2152 wrote to memory of 300	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	regsvcs.exe
PID 2152 wrote to memory of 300	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	regsvcs.exe
PID 2152 wrote to memory of 300	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	regsvcs.exe
PID 2152 wrote to memory of 300	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	regsvcs.exe
PID 2152 wrote to memory of 300	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	regsvcs.exe
PID 2152 wrote to memory of 300	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	regsvcs.exe
PID 2152 wrote to memory of 300	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	regsvcs.exe
PID 2152 wrote to memory of 300	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	regsvcs.exe
PID 2152 wrote to memory of 300	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	regsvcs.exe
PID 2152 wrote to memory of 2548	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	WerFault.exe
PID 2152 wrote to memory of 2548	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	WerFault.exe
PID 2152 wrote to memory of 2548	2152	33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe
"C:\Users\Admin\AppData\Local\Temp\33cb5eeb9b42bd08e6a3b13e3c4e7bbcdb02bdb2e071553f177d4e2f66f3b9bf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:300
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2152 -s 624
  2⤵
  PID:2548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/300-21-0x000000007462E000-0x000000007462F000-memory.dmp

Filesize
4KB

Download
memory/300-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/300-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/300-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/300-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/300-26-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/300-25-0x000000007462E000-0x000000007462F000-memory.dmp

Filesize
4KB

Download
memory/300-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/300-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/300-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/300-22-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/300-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2152-6-0x00000000020F0000-0x0000000002184000-memory.dmp

Filesize
592KB

Download
memory/2152-3-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-4-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/2152-2-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-23-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/2152-24-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-1-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2152-5-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing