agenttesla | 3c2970acce43b4205666a5122842b2d0e1111c7945b103d0a4dcb0fa4a087218

General

Target

CEQ084007738830983737820000020002RF_PDF.exe
Size

2.5MB
MD5

ece6f990267fba0e365191d6558b0f9f
SHA1

7841ab811b01ce15915a9df2538ff469656538af
SHA256

105465e8fc8446745fca6287927567949b9c7a41112d4752f9cb98f503f484db
SHA512

b8a1ad5e44e89c3657f05bd5f32859c1479149b5a849059212139c00b4b6410544b5929e17ddc3b4aaea29aa1413ab77bb57e95b30caef1f6a02f838db116a12
SSDEEP

24576:hqCdMP5SdezpyFNrhSCPuoX0k6O2BusxExVJhenLg31+mYGnKBFHJETXHOahJs3:hP6hSrcCPT0JnLg31+mYGnKDKTXe3

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6806295140:AAG4-KC2NA0JDcYhFvVsLTmBeXMXo_2r83w/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2404 powershell.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.ipify.org
3 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

CEQ084007738830983737820000020002RF_PDF.exe

description pid process target process

PID 1776 set thread context of 3052 1776 CEQ084007738830983737820000020002RF_PDF.exe regsvcs.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeregsvcs.exe

pid process

2404 powershell.exe
3052 regsvcs.exe
3052 regsvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeregsvcs.exe

description pid process

Token: SeDebugPrivilege 2404 powershell.exe
Token: SeDebugPrivilege 3052 regsvcs.exe

pid	process
2404	powershell.exe

flow	ioc
2	api.ipify.org
3	api.ipify.org

description	pid	process	target process
PID 1776 set thread context of 3052	1776	CEQ084007738830983737820000020002RF_PDF.exe	regsvcs.exe

pid	process
2404	powershell.exe
3052	regsvcs.exe
3052	regsvcs.exe

description	pid	process
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	3052	regsvcs.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

CEQ084007738830983737820000020002RF_PDF.exe

description	pid	process	target process
PID 1776 wrote to memory of 2404	1776	CEQ084007738830983737820000020002RF_PDF.exe	powershell.exe
PID 1776 wrote to memory of 2404	1776	CEQ084007738830983737820000020002RF_PDF.exe	powershell.exe
PID 1776 wrote to memory of 2404	1776	CEQ084007738830983737820000020002RF_PDF.exe	powershell.exe
PID 1776 wrote to memory of 3052	1776	CEQ084007738830983737820000020002RF_PDF.exe	regsvcs.exe
PID 1776 wrote to memory of 3052	1776	CEQ084007738830983737820000020002RF_PDF.exe	regsvcs.exe
PID 1776 wrote to memory of 3052	1776	CEQ084007738830983737820000020002RF_PDF.exe	regsvcs.exe
PID 1776 wrote to memory of 3052	1776	CEQ084007738830983737820000020002RF_PDF.exe	regsvcs.exe
PID 1776 wrote to memory of 3052	1776	CEQ084007738830983737820000020002RF_PDF.exe	regsvcs.exe
PID 1776 wrote to memory of 3052	1776	CEQ084007738830983737820000020002RF_PDF.exe	regsvcs.exe
PID 1776 wrote to memory of 3052	1776	CEQ084007738830983737820000020002RF_PDF.exe	regsvcs.exe
PID 1776 wrote to memory of 3052	1776	CEQ084007738830983737820000020002RF_PDF.exe	regsvcs.exe
PID 1776 wrote to memory of 3052	1776	CEQ084007738830983737820000020002RF_PDF.exe	regsvcs.exe
PID 1776 wrote to memory of 3052	1776	CEQ084007738830983737820000020002RF_PDF.exe	regsvcs.exe
PID 1776 wrote to memory of 3052	1776	CEQ084007738830983737820000020002RF_PDF.exe	regsvcs.exe
PID 1776 wrote to memory of 3052	1776	CEQ084007738830983737820000020002RF_PDF.exe	regsvcs.exe

C:\Users\Admin\AppData\Local\Temp\CEQ084007738830983737820000020002RF_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\CEQ084007738830983737820000020002RF_PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2404-15-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-7-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-6-0x0000000002260000-0x0000000002268000-memory.dmp

Filesize
32KB

Download
memory/2404-5-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2404-8-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-9-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-4-0x000007FEF62BE000-0x000007FEF62BF000-memory.dmp

Filesize
4KB

Download
memory/2404-17-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/3052-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3052-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3052-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3052-16-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/3052-18-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing