agenttesla | 3e96e5c7ce88b7a27dbdb0341fe7dc7edd69cfeaba35b7b3019731de8ed81840

General

Target

PowerCheat free.exe
Size

8.0MB
MD5

63e3124b3360f64808cddb6b5b7dd0b7
SHA1

b5308a58f50c548c66b1c46543537812605b6973
SHA256

3e96e5c7ce88b7a27dbdb0341fe7dc7edd69cfeaba35b7b3019731de8ed81840
SHA512

f57876faf30d4c5e8794bf5e1c70747ca58c629df54f121339cbb6444df2cfa13315952233e32471448b5c919b62147ea70af7d66262ce1658fd9d87cea06f4f
SSDEEP

196608:o/TYUOztYQC4wmOH2dWJMiUb5zBXVnTpkSIgzeRnZYk:kWzupHjJdwbdkSpzYZYk

Score

10^/10

agenttesla umbral keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Umbral payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ldld.exe	family_umbral
behavioral1/memory/400-36-0x0000029133FF0000-0x0000029134030000-memory.dmp	family_umbral
behavioral1/memory/4624-35-0x0000000000400000-0x0000000000C0F000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2068-43-0x000001A3DCA00000-0x000001A3DCC14000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PowerCheat free.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	PowerCheat free.exe

Executes dropped EXE 3 IoCs

Processes:

PowerCheat_free.exePowerCheatEmuHider.exeldld.exe

pid process

2068 PowerCheat_free.exe
4544 PowerCheatEmuHider.exe
400 ldld.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2068	PowerCheat_free.exe
4544	PowerCheatEmuHider.exe
400	ldld.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

PowerCheat_free.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	PowerCheat_free.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	PowerCheat_free.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	PowerCheat_free.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

PowerCheatEmuHider.exeldld.exePowerCheat_free.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	4544	PowerCheatEmuHider.exe
Token: SeDebugPrivilege	400	ldld.exe
Token: SeDebugPrivilege	2068	PowerCheat_free.exe
Token: SeDebugPrivilege	4788	firefox.exe
Token: SeDebugPrivilege	4788	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4788 firefox.exe
4788 firefox.exe
4788 firefox.exe
4788 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4788 firefox.exe
4788 firefox.exe
4788 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4788 firefox.exe

pid	process
4788	firefox.exe
4788	firefox.exe
4788	firefox.exe
4788	firefox.exe

pid	process
4788	firefox.exe
4788	firefox.exe
4788	firefox.exe

pid	process
4788	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PowerCheat free.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4624 wrote to memory of 2068	4624	PowerCheat free.exe	PowerCheat_free.exe
PID 4624 wrote to memory of 2068	4624	PowerCheat free.exe	PowerCheat_free.exe
PID 4624 wrote to memory of 4544	4624	PowerCheat free.exe	PowerCheatEmuHider.exe
PID 4624 wrote to memory of 4544	4624	PowerCheat free.exe	PowerCheatEmuHider.exe
PID 4624 wrote to memory of 400	4624	PowerCheat free.exe	ldld.exe
PID 4624 wrote to memory of 400	4624	PowerCheat free.exe	ldld.exe
PID 3032 wrote to memory of 4788	3032	firefox.exe	firefox.exe
PID 3032 wrote to memory of 4788	3032	firefox.exe	firefox.exe
PID 3032 wrote to memory of 4788	3032	firefox.exe	firefox.exe
PID 3032 wrote to memory of 4788	3032	firefox.exe	firefox.exe
PID 3032 wrote to memory of 4788	3032	firefox.exe	firefox.exe
PID 3032 wrote to memory of 4788	3032	firefox.exe	firefox.exe
PID 3032 wrote to memory of 4788	3032	firefox.exe	firefox.exe
PID 3032 wrote to memory of 4788	3032	firefox.exe	firefox.exe
PID 3032 wrote to memory of 4788	3032	firefox.exe	firefox.exe
PID 3032 wrote to memory of 4788	3032	firefox.exe	firefox.exe
PID 3032 wrote to memory of 4788	3032	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 5068	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 3956	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 3956	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 3956	4788	firefox.exe	firefox.exe
PID 4788 wrote to memory of 3956	4788	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PowerCheat free.exe
"C:\Users\Admin\AppData\Local\Temp\PowerCheat free.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\PowerCheat_free.exe
"C:\Users\Admin\AppData\Local\Temp\PowerCheat_free.exe"
2⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe
"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Users\Admin\AppData\Local\Temp\ldld.exe
"C:\Users\Admin\AppData\Local\Temp\ldld.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.0.514391844\1292421285" -parentBuildID 20230214051806 -prefsHandle 1812 -prefMapHandle 1804 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c6bd500-48e0-436d-ada7-1d2250101655} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 1904 1955f108758 gpu
3⤵
PID:5068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.1.688562862\250373541" -parentBuildID 20230214051806 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3029399-8b2f-4319-972e-0ea37869d24b} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 2468 19552484d58 socket
3⤵
PID:3956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.2.1706228141\1418611268" -childID 1 -isForBrowser -prefsHandle 3308 -prefMapHandle 3304 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0218a547-e0ab-474e-b4a2-dace809bec40} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 3320 195619f3758 tab
3⤵
PID:3004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.3.594552143\112039832" -childID 2 -isForBrowser -prefsHandle 3772 -prefMapHandle 3752 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {daeb5d00-1245-4061-8aea-117f2838d5dd} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 3792 19552476b58 tab
3⤵
PID:2764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.4.353221412\1887692444" -childID 3 -isForBrowser -prefsHandle 5040 -prefMapHandle 5060 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e8fcb9c-b3d4-49b5-a4dd-28907f6f3ad1} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 5064 19565f44258 tab
3⤵
PID:4552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.5.654414026\296570319" -childID 4 -isForBrowser -prefsHandle 5292 -prefMapHandle 5288 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c84137ad-d007-4def-85cd-678fb0a46914} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 5300 19565f42a58 tab
3⤵
PID:2000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.6.1967010512\665430161" -childID 5 -isForBrowser -prefsHandle 5436 -prefMapHandle 5440 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dbadca9-98fe-42ae-ae83-4a2357463d33} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 5428 19565f43658 tab
3⤵
PID:404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe
Filesize
517KB

MD5
ae357200b048e8623e2c69ddec553db5

SHA1
8ca678c49a82f93304a6bd2de2b88abbc966cfa5

SHA256
f7e68891530b6a1a97022a9787dfdb363f1a531fc6d0e7f45355a836c2805d09

SHA512
4a1960f43b502065c9a955d2bbe8973d91245abf297b33c7244b60561eb4d71519a8996148e41fdd072a7127199b7b8791cb0206854b6573eb3e4ec48bc5f0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PowerCheat_free.exe
Filesize
7.3MB

MD5
43cb480944627cc538b1d6aba4ddef6d

SHA1
dc421528bf98e998cd01a17602fe63c08a17ae57

SHA256
7a5df9d2619482c2b1ae44d7099f3c184723cd06a78c45261eefd4fd5d6a175f

SHA512
9b6b81d682ce9cf605b1f1d910511c649454d0eb53edf0c8e022bcc4b1f65fd680fd5a4e963f76079d1a41a7d2cc24d306ca717271e7d9e55b73dc17a91bb67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldld.exe
Filesize
231KB

MD5
a91ab29228d60f9cb47da5acaae2fedc

SHA1
b4fd1d0a1119828ae5054b4cf73a2245531ed5e9

SHA256
0866614015dd5f9dc4878af196cb61213d9e243127a9c2be0facb07b6777dd36

SHA512
8e7c07e45c6e09fa07b60aa9af63ae7de91ab3c39804bca4dd01fe1ea7dbc96ad8eeb74943ce4c6afab2db1ce0da1a7b93ac2fb20f4c3f3af6fc1c3e7439c607

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs-1.js
Filesize
7KB

MD5
6ca5d62682ae0a862ea406e6c35f7ccb

SHA1
06c1c39a80fa158d5e1737b257cf138711710e6d

SHA256
a30960ca22c9f8ca9ba7ac584abe96d81fa7de0074d117abc12973b313d700fd

SHA512
de18958841dd844b28949ada68f0b3a5f0181a878b8c74416e1d96b92dcff2a05f9474482d43886807f301098201bab9a2782c0711f6de35e6968df04c69f7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\prefs.js
Filesize
6KB

MD5
724575dcd65675ec1ef98217f403224b

SHA1
cb899d8022f7f78eedd0a8a3a63edcbcf1b6a532

SHA256
986d8769851e69db722e3fe34b9546e791909ed63aa46148a94255366854196b

SHA512
d270ca01ec89aeb6e65eae0c25798346544afc4d7a296fe7e2fcbb340b9576141f589fd4da8cae784d077d097ea3e69ddf16919848507f849d39fbb753f6c375

Download Submit
memory/400-39-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

Filesize
10.8MB

Download
memory/400-36-0x0000029133FF0000-0x0000029134030000-memory.dmp

Filesize
256KB

Download
memory/2068-42-0x000001A3DC600000-0x000001A3DC612000-memory.dmp

Filesize
72KB

Download
memory/2068-40-0x000001A3C2560000-0x000001A3C25B2000-memory.dmp

Filesize
328KB

Download
memory/2068-41-0x000001A3DC5C0000-0x000001A3DC5DA000-memory.dmp

Filesize
104KB

Download
memory/2068-38-0x000001A3C1A30000-0x000001A3C2180000-memory.dmp

Filesize
7.3MB

Download
memory/2068-43-0x000001A3DCA00000-0x000001A3DCC14000-memory.dmp

Filesize
2.1MB

Download
memory/2068-20-0x00007FFFE9CF3000-0x00007FFFE9CF5000-memory.dmp

Filesize
8KB

Download
memory/4544-37-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

Filesize
10.8MB

Download
memory/4544-24-0x0000000000CB0000-0x0000000000D38000-memory.dmp

Filesize
544KB

Download
memory/4624-35-0x0000000000400000-0x0000000000C0F000-memory.dmp

Filesize
8.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads