agenttesla | ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5

General

Target

ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
Size

1.1MB
MD5

eb4d07f7aa59e7b313fba17f44004262
SHA1

70c2427dd9f0ad884b1157cbed0d550df9903452
SHA256

ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5
SHA512

4b34abc556feafacd372dc383fec0612a0e816d9d89bcf0aad7f5cc966d3004862f3cc0cbc80d1fd8aadfa2ddbaa5543c2099d5bcfe2ecf0e6415967abc87680
SSDEEP

24576:SqDEvCTbMWu7rQYlBQcBiT6rprG8a6GUjU+6SmA:STvC/MTQYxsWR7a6GUjUI

Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.rrcindia.co.in
Port:
587
Username:
[email protected]
Password:
Goyal@0783
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	name.exe

Loads dropped DLL 1 IoCs

pid	Process
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0018000000018b3e-13.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 2912	2708	name.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2912	RegSvcs.exe
2912	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2708	name.exe
2708	name.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	RegSvcs.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe
2708	name.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2708	2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe	29
PID 2064 wrote to memory of 2708	2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe	29
PID 2064 wrote to memory of 2708	2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe	29
PID 2064 wrote to memory of 2708	2064	ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe	29
PID 2708 wrote to memory of 2912	2708	name.exe	30
PID 2708 wrote to memory of 2912	2708	name.exe	30
PID 2708 wrote to memory of 2912	2708	name.exe	30
PID 2708 wrote to memory of 2912	2708	name.exe	30
PID 2708 wrote to memory of 2912	2708	name.exe	30
PID 2708 wrote to memory of 2912	2708	name.exe	30
PID 2708 wrote to memory of 2912	2708	name.exe	30
PID 2708 wrote to memory of 2912	2708	name.exe	30

C:\Users\Admin\AppData\Local\Temp\ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
"C:\Users\Admin\AppData\Local\Temp\ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hegeleos

Filesize
234KB

MD5
5a57c1b57e8f56b47a22505015d1dbb0

SHA1
967ca29dd47813097b8f872808d35b4651715f98

SHA256
40795e61633c3224d000d0e255dd753879f60758b9ed34f1059fe8cb68cda950

SHA512
7b04429127ceeda91ba9e4d56c099e80e8472e4acec83146d48174da4f759273c81cdf3c9e40a167f889bff1f14518e5943588442c494c9c354129be6e123ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prober

Filesize
84KB

MD5
d5d1e82f394d186e561d014d2a71231f

SHA1
0aca292245da7fb900647bbf8a3ef7eaf56428cc

SHA256
50f749c532e0dbb4fa0a4d9aa178e7e0995dd368d144017e1cb249e4dda08126

SHA512
8d86132d20baf32e974b46eff83458c0c31099ab01599376ff55c695d0d4608d318eddf0236c7b1dfa22c54db726af478a1e4f1b8cc0e28cd3cb5719cb2a64c8

Download Submit
\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.1MB

MD5
eb4d07f7aa59e7b313fba17f44004262

SHA1
70c2427dd9f0ad884b1157cbed0d550df9903452

SHA256
ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5

SHA512
4b34abc556feafacd372dc383fec0612a0e816d9d89bcf0aad7f5cc966d3004862f3cc0cbc80d1fd8aadfa2ddbaa5543c2099d5bcfe2ecf0e6415967abc87680

Download Submit
memory/2064-11-0x00000000001A0000-0x00000000001A4000-memory.dmp

Filesize
16KB

Download
memory/2912-34-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2912-32-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2912-41-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2912-38-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2912-42-0x0000000073B3E000-0x0000000073B3F000-memory.dmp

Filesize
4KB

Download
memory/2912-43-0x0000000073B30000-0x000000007421E000-memory.dmp

Filesize
6.9MB

Download
memory/2912-44-0x0000000073B3E000-0x0000000073B3F000-memory.dmp

Filesize
4KB

Download
memory/2912-45-0x0000000073B30000-0x000000007421E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing