agenttesla | 499fb09ef1f251f56311fc4a3d303f38dee434cb0ada4372bb8d0cf291c5ddb3

General

Target

Aviso legal.exe
Size

821KB
MD5

c7ae7bfda7f71b76c6f3213cfe94529e
SHA1

eebcb778056a8fa9a33255141d70ffac41523caf
SHA256

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4
SHA512

70326a8b9f6c7d99f82e32f0116b23e2b879bbea3235b03e7510a080ffbbeabc2620b09be4406a2a2b28b62c0679a3ee56e39b7398991693c80da0d84fe43fd2
SSDEEP

12288:8bBFvUojlMVWIhWL7Uc8Eh8xn8mWpXS0iNrmY:8bPvUohIWIhko9xnVWpCH

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6994888350:AAFqI19L4KkGo55n9P5XziXuBSULg-rdpEc/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Loads dropped DLL 2 IoCs

Processes:

Aviso legal.exe

pid process

2132 Aviso legal.exe
2132 Aviso legal.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 api.ipify.org
44 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

Aviso legal.exe

pid process

1344 Aviso legal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Aviso legal.exeAviso legal.exe

pid process

2132 Aviso legal.exe
1344 Aviso legal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Aviso legal.exe

description pid process target process

PID 2132 set thread context of 1344 2132 Aviso legal.exe Aviso legal.exe
Drops file in Windows directory 1 IoCs

Processes:

Aviso legal.exe

description ioc process

File opened for modification C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi Aviso legal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Aviso legal.exe

pid process

1344 Aviso legal.exe
1344 Aviso legal.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Aviso legal.exe

pid process

2132 Aviso legal.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Aviso legal.exe

description pid process

Token: SeDebugPrivilege 1344 Aviso legal.exe

pid	process
2132	Aviso legal.exe
2132	Aviso legal.exe

flow	ioc
43	api.ipify.org
44	api.ipify.org

pid	process
1344	Aviso legal.exe

pid	process
2132	Aviso legal.exe
1344	Aviso legal.exe

description	pid	process	target process
PID 2132 set thread context of 1344	2132	Aviso legal.exe	Aviso legal.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	Aviso legal.exe

pid	process
1344	Aviso legal.exe
1344	Aviso legal.exe

pid	process
2132	Aviso legal.exe

description	pid	process
Token: SeDebugPrivilege	1344	Aviso legal.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Aviso legal.exe

description	pid	process	target process
PID 2132 wrote to memory of 1344	2132	Aviso legal.exe	Aviso legal.exe
PID 2132 wrote to memory of 1344	2132	Aviso legal.exe	Aviso legal.exe
PID 2132 wrote to memory of 1344	2132	Aviso legal.exe	Aviso legal.exe
PID 2132 wrote to memory of 1344	2132	Aviso legal.exe	Aviso legal.exe
PID 2132 wrote to memory of 1344	2132	Aviso legal.exe	Aviso legal.exe

C:\Users\Admin\AppData\Local\Temp\Aviso legal.exe
"C:\Users\Admin\AppData\Local\Temp\Aviso legal.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\Aviso legal.exe
  "C:\Users\Admin\AppData\Local\Temp\Aviso legal.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg4AC7.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4C03.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr4A68.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw4A88.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw4AD8.tmp

Filesize
11B

MD5
f9e81875c2ac80cd228ff7615d6e6183

SHA1
bc60a68ab8522806b30affd832b5866643ec2031

SHA256
54d26d86b2ebde0a52271df5d2bcc911d881ada35d5716076d0411672f78e7b1

SHA512
6173811b6e692e85ac091f9e53ad9e392dc9853087756dae6907ae45b73704c1084ad64bb9730871b6f7dd16d871dfcf089fcf19746cbee68b783a691937d1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw4AD8.tmp

Filesize
60B

MD5
2d45b071bce5847e12b6308c981e1ab7

SHA1
5bc8e983895acd8ed0d5bb4fc48355cf5871ed2c

SHA256
3e9039677f7626a652276f60ecb67b20cd004050af6d7cec32d237591254cb81

SHA512
e838c8c079a8ca453eaa5509df7fe8340329afbf6e6205938ebcac23a98514b7465e8ab7cc9e1be1af10423ab87c8f1797013b58dffcc3d29a35a792d8f05ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw4B27.tmp

Filesize
29B

MD5
90d4148f2c3df01640574cf198642bff

SHA1
80df93c47461df2096af940f6ff710cc3b103a5d

SHA256
603018413ce2875406e3ef08d7ba9a2f086539f1d1ed1023efea06b635c426fc

SHA512
0e407fe7c335c47b7a81cd77fc17b3db6d179342b3d05d103663e5fa7780d9d496e4a9ea462dc5f66cc4708a67c02aec395a08d73b6e52f3c4fa490b89ac4d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw4B27.tmp

Filesize
56B

MD5
c599d20101d8532a39fefbec3a4162a9

SHA1
6215d1abf9002230448221e1ebdcb2916df29cb3

SHA256
db2d57c0d52d8989de271b0b5440e043c7c93b4f58092de80a1c1e569f5327b2

SHA512
df32094a64597c11d96b2844ea097c960cf39901508dcdf9d0892e2879706d2b6a178d1f798a1ba22613091c79b11ba468b21ad04f7856c8be3cfd517330df93

Download Submit
memory/1344-579-0x00000000004C0000-0x0000000001714000-memory.dmp

Filesize
18.3MB

Download
memory/1344-585-0x0000000071CA0000-0x0000000072450000-memory.dmp

Filesize
7.7MB

Download
memory/1344-577-0x0000000077478000-0x0000000077479000-memory.dmp

Filesize
4KB

Download
memory/1344-578-0x0000000077495000-0x0000000077496000-memory.dmp

Filesize
4KB

Download
memory/1344-592-0x0000000071CA0000-0x0000000072450000-memory.dmp

Filesize
7.7MB

Download
memory/1344-580-0x00000000773F1000-0x0000000077511000-memory.dmp

Filesize
1.1MB

Download
memory/1344-581-0x0000000071CAE000-0x0000000071CAF000-memory.dmp

Filesize
4KB

Download
memory/1344-582-0x00000000004C0000-0x0000000000502000-memory.dmp

Filesize
264KB

Download
memory/1344-583-0x00000000382F0000-0x0000000038894000-memory.dmp

Filesize
5.6MB

Download
memory/1344-584-0x0000000035E60000-0x0000000035EC6000-memory.dmp

Filesize
408KB

Download
memory/1344-591-0x0000000071CAE000-0x0000000071CAF000-memory.dmp

Filesize
4KB

Download
memory/1344-586-0x00000000390E0000-0x0000000039130000-memory.dmp

Filesize
320KB

Download
memory/1344-587-0x0000000039130000-0x00000000391C2000-memory.dmp

Filesize
584KB

Download
memory/1344-588-0x00000000391E0000-0x00000000391EA000-memory.dmp

Filesize
40KB

Download
memory/2132-576-0x0000000074255000-0x0000000074256000-memory.dmp

Filesize
4KB

Download
memory/2132-575-0x00000000773F1000-0x0000000077511000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing