agenttesla | 3f3d26e4222fe2207b6588eb3672db62c595f20d0e81a18acdb85afb5a30dbfa

Analysis

max time kernel
134s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
Size

1.2MB
MD5

2884d53826b824a28cfbc4ebefabf549
SHA1

6968dbd0d1cedf3bdba126eb784974cbc0e4d2bd
SHA256

1a0c97c25e5ff8c862717d45f566659b76014262e3f8aa2867683f6f62af9be0
SHA512

3e6e5de3b0b36f4d3ca4a33193077706038d1bbaeb6fb1a0a6c4a40af501b814ce261a0f7fc4ac321680bc615eda459b09f4540f47a8ecec2fe2e8af2c04ff80
SSDEEP

24576:ZZj9DS5AM4OF+PMwrSVlbmfDYkhDvGtjXtGUAF9kJ7MqudghfEuCj0hThiHHxlhs:ZZ4Mw7nx

Score

10^/10

agenttesla credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
Asaprocky11
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 1 IoCs

pid	Process
1252	po.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\po = "C:\\Program Files (x86)\\po.exe"	reg.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	api.ipify.org
56	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1252 set thread context of 4932	1252	po.exe	107

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\po.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\po.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	po.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2200	PING.EXE
2848	cmd.exe
1316	PING.EXE
2448	cmd.exe
1644	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2200	PING.EXE
1316	PING.EXE
1644	PING.EXE

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1252	po.exe
1252	po.exe
1252	po.exe
1252	po.exe
1252	po.exe
4932	AppLaunch.exe
4932	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
Token: SeDebugPrivilege	1252	po.exe
Token: SeDebugPrivilege	4932	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4932	AppLaunch.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2848	1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	87
PID 1488 wrote to memory of 2848	1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	87
PID 1488 wrote to memory of 2848	1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	87
PID 2848 wrote to memory of 1316	2848	cmd.exe	89
PID 2848 wrote to memory of 1316	2848	cmd.exe	89
PID 2848 wrote to memory of 1316	2848	cmd.exe	89
PID 1488 wrote to memory of 2448	1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	95
PID 1488 wrote to memory of 2448	1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	95
PID 1488 wrote to memory of 2448	1488	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	95
PID 2448 wrote to memory of 1644	2448	cmd.exe	97
PID 2448 wrote to memory of 1644	2448	cmd.exe	97
PID 2448 wrote to memory of 1644	2448	cmd.exe	97
PID 2848 wrote to memory of 3212	2848	cmd.exe	101
PID 2848 wrote to memory of 3212	2848	cmd.exe	101
PID 2848 wrote to memory of 3212	2848	cmd.exe	101
PID 2448 wrote to memory of 2200	2448	cmd.exe	103
PID 2448 wrote to memory of 2200	2448	cmd.exe	103
PID 2448 wrote to memory of 2200	2448	cmd.exe	103
PID 2448 wrote to memory of 1252	2448	cmd.exe	106
PID 2448 wrote to memory of 1252	2448	cmd.exe	106
PID 2448 wrote to memory of 1252	2448	cmd.exe	106
PID 1252 wrote to memory of 4932	1252	po.exe	107
PID 1252 wrote to memory of 4932	1252	po.exe	107
PID 1252 wrote to memory of 4932	1252	po.exe	107
PID 1252 wrote to memory of 4932	1252	po.exe	107
PID 1252 wrote to memory of 4932	1252	po.exe	107
PID 1252 wrote to memory of 4932	1252	po.exe	107
PID 1252 wrote to memory of 4932	1252	po.exe	107
PID 1252 wrote to memory of 4932	1252	po.exe	107

C:\Users\Admin\AppData\Local\Temp\Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 12 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "po" /t REG_SZ /d "C:\Program Files (x86)\po.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 12
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1316
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "po" /t REG_SZ /d "C:\Program Files (x86)\po.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3212
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 24 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe" "C:\Program Files (x86)\po.exe" && ping 127.0.0.1 -n 24 > nul && "C:\Program Files (x86)\po.exe"
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 24
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1644
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 24
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2200
- - C:\Program Files (x86)\po.exe
    "C:\Program Files (x86)\po.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\po.exe

Filesize
1.2MB

MD5
2884d53826b824a28cfbc4ebefabf549

SHA1
6968dbd0d1cedf3bdba126eb784974cbc0e4d2bd

SHA256
1a0c97c25e5ff8c862717d45f566659b76014262e3f8aa2867683f6f62af9be0

SHA512
3e6e5de3b0b36f4d3ca4a33193077706038d1bbaeb6fb1a0a6c4a40af501b814ce261a0f7fc4ac321680bc615eda459b09f4540f47a8ecec2fe2e8af2c04ff80

Download Submit
memory/1252-20-0x0000000006B00000-0x0000000006B06000-memory.dmp

Filesize
24KB

Download
memory/1252-18-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/1252-24-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/1252-21-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/1252-19-0x00000000057F0000-0x000000000580A000-memory.dmp

Filesize
104KB

Download
memory/1252-16-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/1252-17-0x0000000000130000-0x0000000000264000-memory.dmp

Filesize
1.2MB

Download
memory/1488-6-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/1488-1-0x0000000000980000-0x0000000000AB4000-memory.dmp

Filesize
1.2MB

Download
memory/1488-2-0x0000000004FF0000-0x000000000508C000-memory.dmp

Filesize
624KB

Download
memory/1488-8-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/1488-7-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/1488-10-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/1488-5-0x00000000051C0000-0x000000000525E000-memory.dmp

Filesize
632KB

Download
memory/1488-0-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/1488-4-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/1488-3-0x00000000056D0000-0x0000000005C74000-memory.dmp

Filesize
5.6MB

Download
memory/4932-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-25-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/4932-26-0x00000000068A0000-0x00000000068F0000-memory.dmp

Filesize
320KB

Download