agenttesla | 9b781f4e9bbd1433c696257ec61de538c7d605921fd71bc92733abc28ba95b53

General

Target

NEW ORDER PURCHASE.exe
Size

760KB
MD5

cde7970091a0b3fd19f7f8f3a855b583
SHA1

6c55f16de86b9dc9052c5e2fe2d94ce6d7e79e9e
SHA256

8f58aa2f3549e2b9449f530eb6bf91bb4b0be997b97c65245aeb99baa55fdfb9
SHA512

19bd3514fdf5d0ff6b47268795bd13c03401d6adb74553e578b7bf40b1c5219ebb7fd40c9f587ff8cf1f3a1f7d834ac5cb006c66d0374badc7d897033625cdeb
SSDEEP

12288:zU3929BC4rqhpfVIbQMjRq/3ml/bCoygRFg+48MMOI/bxqbyoZ48oLBbl+d/WDwt:zU89BNuhEbQM62UPjZU/lqjY1ZUW8t

Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
phoenixblowers.com
Port:
587
Username:
[email protected]
Password:
Officeback@2022#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2808	powershell.exe
2760	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 624 set thread context of 2520	624	NEW ORDER PURCHASE.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NEW ORDER PURCHASE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
624	NEW ORDER PURCHASE.exe
624	NEW ORDER PURCHASE.exe
2520	RegSvcs.exe
2520	RegSvcs.exe
2808	powershell.exe
2760	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	NEW ORDER PURCHASE.exe
Token: SeDebugPrivilege	2520	RegSvcs.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2760	624	NEW ORDER PURCHASE.exe	30
PID 624 wrote to memory of 2760	624	NEW ORDER PURCHASE.exe	30
PID 624 wrote to memory of 2760	624	NEW ORDER PURCHASE.exe	30
PID 624 wrote to memory of 2760	624	NEW ORDER PURCHASE.exe	30
PID 624 wrote to memory of 2808	624	NEW ORDER PURCHASE.exe	32
PID 624 wrote to memory of 2808	624	NEW ORDER PURCHASE.exe	32
PID 624 wrote to memory of 2808	624	NEW ORDER PURCHASE.exe	32
PID 624 wrote to memory of 2808	624	NEW ORDER PURCHASE.exe	32
PID 624 wrote to memory of 2796	624	NEW ORDER PURCHASE.exe	34
PID 624 wrote to memory of 2796	624	NEW ORDER PURCHASE.exe	34
PID 624 wrote to memory of 2796	624	NEW ORDER PURCHASE.exe	34
PID 624 wrote to memory of 2796	624	NEW ORDER PURCHASE.exe	34
PID 624 wrote to memory of 2520	624	NEW ORDER PURCHASE.exe	36
PID 624 wrote to memory of 2520	624	NEW ORDER PURCHASE.exe	36
PID 624 wrote to memory of 2520	624	NEW ORDER PURCHASE.exe	36
PID 624 wrote to memory of 2520	624	NEW ORDER PURCHASE.exe	36
PID 624 wrote to memory of 2520	624	NEW ORDER PURCHASE.exe	36
PID 624 wrote to memory of 2520	624	NEW ORDER PURCHASE.exe	36
PID 624 wrote to memory of 2520	624	NEW ORDER PURCHASE.exe	36
PID 624 wrote to memory of 2520	624	NEW ORDER PURCHASE.exe	36
PID 624 wrote to memory of 2520	624	NEW ORDER PURCHASE.exe	36
PID 624 wrote to memory of 2520	624	NEW ORDER PURCHASE.exe	36
PID 624 wrote to memory of 2520	624	NEW ORDER PURCHASE.exe	36
PID 624 wrote to memory of 2520	624	NEW ORDER PURCHASE.exe	36

C:\Users\Admin\AppData\Local\Temp\NEW ORDER PURCHASE.exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER PURCHASE.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEW ORDER PURCHASE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CRPPQhtKTF.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CRPPQhtKTF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp760A.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp760A.tmp

Filesize
1KB

MD5
3b7fad0a59a1cf26eb26c3b5054757b8

SHA1
a0cfa25acd31a49e6066e667a1eb54c271cdc844

SHA256
fe8c4becfee5277b5fa306a6f88b67141a3d2d490d10db2258833bc0be15b397

SHA512
4bf2b1a57e24f7e41f0cc1771ad0065d0d932b08926413a0fb48f5619fcc397cc7c4f863636bfb7cc6c119f508ba9a9448bd139d2eadc9d473fa161cb5697e35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7G8MU3YSDN2E3L6R6YHN.temp

Filesize
7KB

MD5
81deb53af632732ed88b389615ff4204

SHA1
47fd294934e2bcbda6a17f330f5f15d5bb5a2772

SHA256
3f9a19f748a2e9acf3eb65029fb313e1012b4bc51254efd8153c80d514b4c3b5

SHA512
83681c9d8c65e17222ee38de40854b7e4c5c5303614113a5ef67d0640b58a7b7c83e2e85a63ec33ce99b8bbd20068ac1bb3478db697cb1d1aad4b1c0a45baf2c

Download Submit
memory/624-30-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/624-1-0x0000000001360000-0x0000000001422000-memory.dmp

Filesize
776KB

Download
memory/624-2-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/624-3-0x0000000000A90000-0x0000000000AA6000-memory.dmp

Filesize
88KB

Download
memory/624-4-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/624-5-0x0000000000E50000-0x0000000000ED2000-memory.dmp

Filesize
520KB

Download
memory/624-0-0x00000000741BE000-0x00000000741BF000-memory.dmp

Filesize
4KB

Download
memory/2520-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2520-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads