agenttesla | 10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a

General

Target

10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a.exe
Size

3.4MB
MD5

876aeb81a553e8946fa8ab00a818b63b
SHA1

c484c645f9ebd696ee6889aeb7a1063d27d8793c
SHA256

10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a
SHA512

ed0d6d997d2213caeb280b2429a2726575a842a6ab0fcf3440d6b2c6abe52ae03a5bab7362dac8fb20f687a3febd120d8183399192b57663bfe3ca7864b4e3d8
SSDEEP

49152:w8yJAk206NICMq5pzKRgqVzKBNgFDeekmW5:HBsIT

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
business29.web-hosting.com
Port:
587
Username:
[email protected]
Password:
Mas_#()@?"obo"""
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs

resource	yara_rule
behavioral2/memory/2920-1-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
behavioral2/memory/2920-1-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/memory/2920-1-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/2920-1-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/2920-1-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/2920-1-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a = "C:\\Users\\Admin\\10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a.exe"	10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipify.org
14	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2428 set thread context of 2920	2428	10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2920	AddInProcess32.exe
2920	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	AddInProcess32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2920	2428	10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a.exe	87
PID 2428 wrote to memory of 2920	2428	10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a.exe	87
PID 2428 wrote to memory of 2920	2428	10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a.exe	87
PID 2428 wrote to memory of 2920	2428	10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a.exe	87
PID 2428 wrote to memory of 2920	2428	10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a.exe	87
PID 2428 wrote to memory of 2920	2428	10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a.exe	87
PID 2428 wrote to memory of 2920	2428	10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a.exe	87
PID 2428 wrote to memory of 2920	2428	10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a.exe	87

C:\Users\Admin\AppData\Local\Temp\10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a.exe
"C:\Users\Admin\AppData\Local\Temp\10da9edb338bab3ff8e7102e2a7cabdce67005ac8635ac42383cca30a7b9458a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2920-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2920-2-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/2920-3-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/2920-4-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/2920-5-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/2920-6-0x0000000006CB0000-0x0000000006D42000-memory.dmp

Filesize
584KB

Download
memory/2920-7-0x0000000006DA0000-0x0000000006DF0000-memory.dmp

Filesize
320KB

Download
memory/2920-8-0x0000000006D80000-0x0000000006D8A000-memory.dmp

Filesize
40KB

Download
memory/2920-9-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/2920-10-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads