agenttesla | 3f3d26e4222fe2207b6588eb3672db62c595f20d0e81a18acdb85afb5a30dbfa

Analysis

max time kernel
136s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
Size

1.2MB
MD5

2884d53826b824a28cfbc4ebefabf549
SHA1

6968dbd0d1cedf3bdba126eb784974cbc0e4d2bd
SHA256

1a0c97c25e5ff8c862717d45f566659b76014262e3f8aa2867683f6f62af9be0
SHA512

3e6e5de3b0b36f4d3ca4a33193077706038d1bbaeb6fb1a0a6c4a40af501b814ce261a0f7fc4ac321680bc615eda459b09f4540f47a8ecec2fe2e8af2c04ff80
SSDEEP

24576:ZZj9DS5AM4OF+PMwrSVlbmfDYkhDvGtjXtGUAF9kJ7MqudghfEuCj0hThiHHxlhs:ZZ4Mw7nx

Score

10^/10

agenttesla credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
Asaprocky11
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 1 IoCs

pid	Process
4260	po.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\po = "C:\\Program Files (x86)\\po.exe"	reg.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
54	api.ipify.org
55	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4260 set thread context of 972	4260	po.exe	115

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\po.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\po.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	po.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3008	cmd.exe
4956	PING.EXE
3916	PING.EXE
4856	cmd.exe
1412	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4956	PING.EXE
3916	PING.EXE
1412	PING.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
4260	po.exe
4260	po.exe
4260	po.exe
4260	po.exe
4260	po.exe
4260	po.exe
972	AppLaunch.exe
972	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
Token: SeDebugPrivilege	4260	po.exe
Token: SeDebugPrivilege	972	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
972	AppLaunch.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 4856	1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	94
PID 1740 wrote to memory of 4856	1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	94
PID 1740 wrote to memory of 4856	1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	94
PID 4856 wrote to memory of 1412	4856	cmd.exe	96
PID 4856 wrote to memory of 1412	4856	cmd.exe	96
PID 4856 wrote to memory of 1412	4856	cmd.exe	96
PID 1740 wrote to memory of 3008	1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	103
PID 1740 wrote to memory of 3008	1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	103
PID 1740 wrote to memory of 3008	1740	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	103
PID 3008 wrote to memory of 4956	3008	cmd.exe	105
PID 3008 wrote to memory of 4956	3008	cmd.exe	105
PID 3008 wrote to memory of 4956	3008	cmd.exe	105
PID 4856 wrote to memory of 2824	4856	cmd.exe	108
PID 4856 wrote to memory of 2824	4856	cmd.exe	108
PID 4856 wrote to memory of 2824	4856	cmd.exe	108
PID 3008 wrote to memory of 3916	3008	cmd.exe	111
PID 3008 wrote to memory of 3916	3008	cmd.exe	111
PID 3008 wrote to memory of 3916	3008	cmd.exe	111
PID 3008 wrote to memory of 4260	3008	cmd.exe	114
PID 3008 wrote to memory of 4260	3008	cmd.exe	114
PID 3008 wrote to memory of 4260	3008	cmd.exe	114
PID 4260 wrote to memory of 972	4260	po.exe	115
PID 4260 wrote to memory of 972	4260	po.exe	115
PID 4260 wrote to memory of 972	4260	po.exe	115
PID 4260 wrote to memory of 972	4260	po.exe	115
PID 4260 wrote to memory of 972	4260	po.exe	115
PID 4260 wrote to memory of 972	4260	po.exe	115
PID 4260 wrote to memory of 972	4260	po.exe	115
PID 4260 wrote to memory of 972	4260	po.exe	115

C:\Users\Admin\AppData\Local\Temp\Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 13 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "po" /t REG_SZ /d "C:\Program Files (x86)\po.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 13
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1412
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "po" /t REG_SZ /d "C:\Program Files (x86)\po.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 23 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe" "C:\Program Files (x86)\po.exe" && ping 127.0.0.1 -n 23 > nul && "C:\Program Files (x86)\po.exe"
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 23
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4956
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 23
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3916
- - C:\Program Files (x86)\po.exe
    "C:\Program Files (x86)\po.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8
1⤵
PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\po.exe

Filesize
1.2MB

MD5
2884d53826b824a28cfbc4ebefabf549

SHA1
6968dbd0d1cedf3bdba126eb784974cbc0e4d2bd

SHA256
1a0c97c25e5ff8c862717d45f566659b76014262e3f8aa2867683f6f62af9be0

SHA512
3e6e5de3b0b36f4d3ca4a33193077706038d1bbaeb6fb1a0a6c4a40af501b814ce261a0f7fc4ac321680bc615eda459b09f4540f47a8ecec2fe2e8af2c04ff80

Download Submit
memory/972-27-0x00000000062B0000-0x0000000006300000-memory.dmp

Filesize
320KB

Download
memory/972-26-0x0000000004E80000-0x0000000004EE6000-memory.dmp

Filesize
408KB

Download
memory/972-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1740-5-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1740-3-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/1740-6-0x00000000057B0000-0x000000000584E000-memory.dmp

Filesize
632KB

Download
memory/1740-7-0x0000000005660000-0x000000000566A000-memory.dmp

Filesize
40KB

Download
memory/1740-8-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1740-10-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1740-4-0x00000000056A0000-0x0000000005732000-memory.dmp

Filesize
584KB

Download
memory/1740-1-0x0000000000920000-0x0000000000A54000-memory.dmp

Filesize
1.2MB

Download
memory/1740-2-0x0000000005520000-0x00000000055BC000-memory.dmp

Filesize
624KB

Download
memory/1740-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/4260-18-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/4260-20-0x00000000074F0000-0x00000000074F6000-memory.dmp

Filesize
24KB

Download
memory/4260-21-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/4260-22-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/4260-19-0x0000000006EA0000-0x0000000006EBA000-memory.dmp

Filesize
104KB

Download
memory/4260-25-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/4260-17-0x0000000000D80000-0x0000000000EB4000-memory.dmp

Filesize
1.2MB

Download
memory/4260-16-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download