agenttesla | 8d48681090810cf096230ac8e6900c4cdb22d9872622ba55f9d70c1c1ca32956

General

Target

SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe
Size

2.5MB
MD5

3a1b81c6763af1d0d35082ee119c731a
SHA1

de17332d6c29afd205611f1abfecee207a91bc7d
SHA256

8d48681090810cf096230ac8e6900c4cdb22d9872622ba55f9d70c1c1ca32956
SHA512

03494a5db06028f23c4cb77ac574e348f1374a66ccb43236fa09fbc0423dc98c21cd618210bc1a52e88c194c3786e8cd58511c8ae12632e03fed1371df2c541f
SSDEEP

24576:7qCdMP5SdezpyFNrhSCPuoX0k6O2BusxExVJhewLg31+mYGnKBF1JETXHOa/8+UW:7P6hSrcCPT0JwLg31+mYGnKDkTXph

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
@#Qwerty12345
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regsvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost\\svchost.exe"	regsvcs.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe

description pid process target process

PID 1704 set thread context of 2028 1704 SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe regsvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvcs.exe

pid process

2028 regsvcs.exe
2028 regsvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

regsvcs.exe

description pid process

Token: SeDebugPrivilege 2028 regsvcs.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 1704 set thread context of 2028	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	regsvcs.exe

pid	process
2028	regsvcs.exe
2028	regsvcs.exe

description	pid	process
Token: SeDebugPrivilege	2028	regsvcs.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe

description	pid	process	target process
PID 1704 wrote to memory of 2584	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	msbuild.exe
PID 1704 wrote to memory of 2584	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	msbuild.exe
PID 1704 wrote to memory of 2584	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	msbuild.exe
PID 1704 wrote to memory of 2584	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	msbuild.exe
PID 1704 wrote to memory of 2584	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	msbuild.exe
PID 1704 wrote to memory of 2584	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	msbuild.exe
PID 1704 wrote to memory of 2584	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	msbuild.exe
PID 1704 wrote to memory of 2584	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	msbuild.exe
PID 1704 wrote to memory of 2584	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	msbuild.exe
PID 1704 wrote to memory of 2028	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	regsvcs.exe
PID 1704 wrote to memory of 2028	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	regsvcs.exe
PID 1704 wrote to memory of 2028	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	regsvcs.exe
PID 1704 wrote to memory of 2028	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	regsvcs.exe
PID 1704 wrote to memory of 2028	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	regsvcs.exe
PID 1704 wrote to memory of 2028	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	regsvcs.exe
PID 1704 wrote to memory of 2028	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	regsvcs.exe
PID 1704 wrote to memory of 2028	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	regsvcs.exe
PID 1704 wrote to memory of 2028	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	regsvcs.exe
PID 1704 wrote to memory of 2028	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	regsvcs.exe
PID 1704 wrote to memory of 2028	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	regsvcs.exe
PID 1704 wrote to memory of 2028	1704	SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe	regsvcs.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSXgen.16698.32595.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
2⤵
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2028-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2028-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2028-5-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/2028-6-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2028-8-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/2028-9-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads