agenttesla | e97f3a6509a904071f9caad377086b99030d3a8ec0dc75551cb16459ce8c0b38

General

Target

Scaaned_Products_Specifications‮sxlx..exe
Size

1.6MB
MD5

68870c1548aaef1ebb33b4bc324a40f8
SHA1

92b3d71abe0ce4d3afc5973a20456ac547fe5f60
SHA256

5e7a31b88c9972678a7f64c36f42d7a0172e3f1672db3aeccc5c7e5c575524c0
SHA512

86f8ec2ce556049810c4e404d71b1ecb246270c6dd69830a259aef3e46b240d3ebf725d0f48bd19648cd705c63d0fd67774f8e180bd1db93e2eade4eca388857
SSDEEP

12288:iLsQXlH5DY6Co9q/KpByx0JW23URhqomgNo01La4MJ:iLsQX55DY6CaqiuxeeREovu0Nan

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.oserfech.eu
Port:
587
Username:
[email protected]
Password:
Epicoffice@2024

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.oserfech.eu
Port:
587
Username:
[email protected]
Password:
Epicoffice@2024
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs

resource	yara_rule
behavioral2/memory/2828-4-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
behavioral2/memory/2828-4-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables packed with or use KoiVM 1 IoCs

resource	yara_rule
behavioral2/memory/3640-3-0x00000239C4AF0000-0x00000239C4B86000-memory.dmp	INDICATOR_EXE_Packed_KoiVM

Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/memory/2828-4-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/2828-4-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/2828-4-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/2828-4-0x0000000000400000-0x0000000000444000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plQRnonsft = "C:\\Users\\Admin\\AppData\\Roaming\\plQRnonsft\\plQRnonsft.exe"	jsc.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	api.ipify.org
37	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3640 set thread context of 2828	3640	Scaaned_Products_Specifications‮sxlx..exe	89

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2828	jsc.exe
2828	jsc.exe
2828	jsc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	jsc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 2828	3640	Scaaned_Products_Specifications‮sxlx..exe	89
PID 3640 wrote to memory of 2828	3640	Scaaned_Products_Specifications‮sxlx..exe	89
PID 3640 wrote to memory of 2828	3640	Scaaned_Products_Specifications‮sxlx..exe	89
PID 3640 wrote to memory of 2828	3640	Scaaned_Products_Specifications‮sxlx..exe	89
PID 3640 wrote to memory of 2828	3640	Scaaned_Products_Specifications‮sxlx..exe	89
PID 3640 wrote to memory of 2828	3640	Scaaned_Products_Specifications‮sxlx..exe	89
PID 3640 wrote to memory of 2828	3640	Scaaned_Products_Specifications‮sxlx..exe	89
PID 3640 wrote to memory of 2828	3640	Scaaned_Products_Specifications‮sxlx..exe	89
PID 3640 wrote to memory of 1752	3640	Scaaned_Products_Specifications‮sxlx..exe	90
PID 3640 wrote to memory of 1752	3640	Scaaned_Products_Specifications‮sxlx..exe	90
PID 3640 wrote to memory of 1752	3640	Scaaned_Products_Specifications‮sxlx..exe	90

C:\Users\Admin\AppData\Local\Temp\Scaaned_Products_Specifications‮sxlx..exe
"C:\Users\Admin\AppData\Local\Temp\Scaaned_Products_Specifications‮sxlx..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2828-9-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2828-10-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/2828-15-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2828-14-0x000000007533E000-0x000000007533F000-memory.dmp

Filesize
4KB

Download
memory/2828-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2828-13-0x0000000006B20000-0x0000000006BBC000-memory.dmp

Filesize
624KB

Download
memory/2828-12-0x0000000006A30000-0x0000000006A80000-memory.dmp

Filesize
320KB

Download
memory/2828-8-0x0000000005A20000-0x0000000005FC4000-memory.dmp

Filesize
5.6MB

Download
memory/2828-6-0x000000007533E000-0x000000007533F000-memory.dmp

Filesize
4KB

Download
memory/3640-0-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp

Filesize
8KB

Download
memory/3640-7-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/3640-1-0x00000239C2CE0000-0x00000239C2CE8000-memory.dmp

Filesize
32KB

Download
memory/3640-5-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp

Filesize
8KB

Download
memory/3640-3-0x00000239C4AF0000-0x00000239C4B86000-memory.dmp

Filesize
600KB

Download
memory/3640-2-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads