agenttesla | c44771fda8ab48c96941445745f13cda96054fdffbe8f9768348a2ceb7a4a1c9

General

Target

Printerhp_Scan shipdocs pdf.exe
Size

648KB
MD5

682c5f7b82797efe8163e15865817d36
SHA1

515000c33157ff45f38536d26b3ec092901977c9
SHA256

30506cb061d4a4acc16ac2885769ea3d6330b923524457e9c1d7d88aad2fc60f
SHA512

a3724ff879c29d7fe430ec567419c615e439b331322fc7a3e9c2a7c7d3692d62c47bfaab63df107cc6384ae7517197f045aac68fcaaba56e28e343a26155a589
SSDEEP

12288:WsHzOUNUSB/o5LsI1uwajJ5yvv1l2LiCMaD7YjibZ1XN3ohXFU8LQo:5iUmSB/o5d1ubcv/QYO9qFl

Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.myhydropowered.com
Port:
587
Username:
[email protected]
Password:
nW5AoStmqtxtXpA

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.myhydropowered.com
Port:
587
Username:
[email protected]
Password:
nW5AoStmqtxtXpA
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2332-0-0x0000000001360000-0x00000000014D1000-memory.dmp	upx
behavioral1/memory/2332-19-0x0000000001360000-0x00000000014D1000-memory.dmp	upx

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com
4	api.ipify.org
5	api.ipify.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2332-19-0x0000000001360000-0x00000000014D1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 2068	2332	Printerhp_Scan shipdocs pdf.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Printerhp_Scan shipdocs pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2068	RegSvcs.exe
2068	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2332	Printerhp_Scan shipdocs pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2068	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2068	2332	Printerhp_Scan shipdocs pdf.exe	30
PID 2332 wrote to memory of 2068	2332	Printerhp_Scan shipdocs pdf.exe	30
PID 2332 wrote to memory of 2068	2332	Printerhp_Scan shipdocs pdf.exe	30
PID 2332 wrote to memory of 2068	2332	Printerhp_Scan shipdocs pdf.exe	30
PID 2332 wrote to memory of 2068	2332	Printerhp_Scan shipdocs pdf.exe	30
PID 2332 wrote to memory of 2068	2332	Printerhp_Scan shipdocs pdf.exe	30
PID 2332 wrote to memory of 2068	2332	Printerhp_Scan shipdocs pdf.exe	30
PID 2332 wrote to memory of 2068	2332	Printerhp_Scan shipdocs pdf.exe	30

C:\Users\Admin\AppData\Local\Temp\Printerhp_Scan shipdocs pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Printerhp_Scan shipdocs pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\Printerhp_Scan shipdocs pdf.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2068-13-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2068-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2068-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2068-20-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/2068-21-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/2068-22-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/2068-23-0x0000000074760000-0x0000000074E4E000-memory.dmp

Filesize
6.9MB

Download
memory/2332-0-0x0000000001360000-0x00000000014D1000-memory.dmp

Filesize
1.4MB

Download
memory/2332-12-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/2332-19-0x0000000001360000-0x00000000014D1000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads