agenttesla | e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f

General

Target

e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe
Size

649KB
MD5

6fe36f5cd0c522ca1241658ec2553db3
SHA1

f197615adff4daace92fd2f0c4f266a6170aa464
SHA256

e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f
SHA512

2b288eab811c12a818d089d419b8e51ee0b3692274010303f968fae82dde99a82c8601621860222c3b365f64fcc6508310e51cf3a954414054822d293d39196b
SSDEEP

12288:BY0bffsWYCGpoTt4wT3eFjtyiyCgchaxpvQfSgYE:BY0zjqgt/T38jty8hs4fPYE

Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.synergyinnovationsgroup.com
Port:
587
Username:
[email protected]
Password:
C@p-Y8BoHc#?
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Loads dropped DLL 7 IoCs

Processes:

e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe

pid	Process
3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe
3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe
3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe
3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe
3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe
3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe
3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid	Process
1620	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exewab.exe

pid	Process
3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe
1620	wab.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe

description	pid	Process	procid_target
PID 3244 set thread context of 1620	3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exewab.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

wab.exe

pid	Process
1620	wab.exe
1620	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe

pid	Process
3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wab.exe

description	pid	Process
Token: SeDebugPrivilege	1620	wab.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe

description	pid	Process	procid_target
PID 3244 wrote to memory of 1620	3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe	78
PID 3244 wrote to memory of 1620	3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe	78
PID 3244 wrote to memory of 1620	3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe	78
PID 3244 wrote to memory of 1620	3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe	78
PID 3244 wrote to memory of 1620	3244	e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe	78

C:\Users\Admin\AppData\Local\Temp\e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe
"C:\Users\Admin\AppData\Local\Temp\e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Program Files (x86)\windows mail\wab.exe
  "C:\Users\Admin\AppData\Local\Temp\e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsf4A1.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf4A1.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
memory/1620-35-0x0000000037EF0000-0x0000000038496000-memory.dmp

Filesize
5.6MB

Download
memory/1620-30-0x00007FFEE5340000-0x00007FFEE5549000-memory.dmp

Filesize
2.0MB

Download
memory/1620-31-0x0000000000E90000-0x00000000021A7000-memory.dmp

Filesize
19.1MB

Download
memory/1620-32-0x00007FFEE5340000-0x00007FFEE5549000-memory.dmp

Filesize
2.0MB

Download
memory/1620-33-0x00007FFEE5340000-0x00007FFEE5549000-memory.dmp

Filesize
2.0MB

Download
memory/1620-34-0x0000000000E90000-0x0000000000ED0000-memory.dmp

Filesize
256KB

Download
memory/1620-36-0x0000000037940000-0x00000000379A6000-memory.dmp

Filesize
408KB

Download
memory/1620-38-0x0000000037D20000-0x0000000037D70000-memory.dmp

Filesize
320KB

Download
memory/1620-39-0x0000000037E10000-0x0000000037EA2000-memory.dmp

Filesize
584KB

Download
memory/1620-40-0x0000000037D70000-0x0000000037D7A000-memory.dmp

Filesize
40KB

Download
memory/1620-42-0x00007FFEE5340000-0x00007FFEE5549000-memory.dmp

Filesize
2.0MB

Download
memory/3244-29-0x00007FFEE5340000-0x00007FFEE5549000-memory.dmp

Filesize
2.0MB

Download
memory/3244-28-0x00007FFEE5341000-0x00007FFEE546A000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads