agenttesla | 216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca

General

Target

216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe
Size

616KB
MD5

0c937b5c2726ead914f467f4458fb30c
SHA1

f1d0c49c593499e9190bcb796a0cd7292fbfeea6
SHA256

216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca
SHA512

d9403de28b2bf85cf7d0cf2390497016cf3e00255486eed84223bd97a5e41e21ebfd9218056e082bf745d4d7fdf7a712b72559358d2118eda6141222539a1231
SSDEEP

12288:k9Xl+wonve99dbGPG+gibay1WTIlLuRtjI0THYWsuFFu5KmgsHL:kLRovq78GniOTTyLurk0TQNio

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
business29.web-hosting.com
Port:
587
Username:
[email protected]
Password:
7.s8.{OnUP(S
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2320-7-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2320-14-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2320-12-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2320-10-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2320-8-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2320-7-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2320-14-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2320-12-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2320-10-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2320-8-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables packed with or use KoiVM 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1976-4-0x00000000004F0000-0x0000000000584000-memory.dmp	INDICATOR_EXE_Packed_KoiVM

Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2320-7-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2320-14-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2320-12-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2320-10-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2320-8-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2320-7-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2320-14-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2320-12-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2320-10-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2320-8-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2320-7-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2320-14-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2320-12-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2320-10-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2320-8-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2320-7-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2320-14-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2320-12-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2320-10-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2320-8-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AddInProcess32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\AWcZJz = "C:\\Users\\Admin\\AppData\\Roaming\\AWcZJz\\AWcZJz.exe"	AddInProcess32.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe

description	pid	process	target process
PID 1976 set thread context of 2320	1976	216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AddInProcess32.exe

pid process

2320 AddInProcess32.exe
2320 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AddInProcess32.exe

description pid process

Token: SeDebugPrivilege 2320 AddInProcess32.exe

pid	process
2320	AddInProcess32.exe
2320	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	2320	AddInProcess32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe

description	pid	process	target process
PID 1976 wrote to memory of 2320	1976	216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe	AddInProcess32.exe
PID 1976 wrote to memory of 2320	1976	216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe	AddInProcess32.exe
PID 1976 wrote to memory of 2320	1976	216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe	AddInProcess32.exe
PID 1976 wrote to memory of 2320	1976	216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe	AddInProcess32.exe
PID 1976 wrote to memory of 2320	1976	216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe	AddInProcess32.exe
PID 1976 wrote to memory of 2320	1976	216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe	AddInProcess32.exe
PID 1976 wrote to memory of 2320	1976	216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe	AddInProcess32.exe
PID 1976 wrote to memory of 2320	1976	216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe	AddInProcess32.exe
PID 1976 wrote to memory of 2320	1976	216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe	AddInProcess32.exe
PID 1976 wrote to memory of 3000	1976	216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe	WerFault.exe
PID 1976 wrote to memory of 3000	1976	216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe	WerFault.exe
PID 1976 wrote to memory of 3000	1976	216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe
"C:\Users\Admin\AppData\Local\Temp\216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1976 -s 628
2⤵
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1976-0-0x000007FEF5D43000-0x000007FEF5D44000-memory.dmp

Filesize
4KB

Download
memory/1976-1-0x0000000000F60000-0x0000000000F6E000-memory.dmp

Filesize
56KB

Download
memory/1976-2-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-3-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/1976-4-0x00000000004F0000-0x0000000000584000-memory.dmp

Filesize
592KB

Download
memory/1976-19-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-18-0x000007FEF5D43000-0x000007FEF5D44000-memory.dmp

Filesize
4KB

Download
memory/2320-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2320-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2320-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2320-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2320-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2320-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2320-15-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/2320-16-0x0000000074B30000-0x000000007521E000-memory.dmp

Filesize
6.9MB

Download
memory/2320-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2320-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2320-20-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/2320-21-0x0000000074B30000-0x000000007521E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads