agenttesla | 790e71d3ed88746fa4d2c5c15ae60a08ff70b6f6a19f78bd8a4a04101e6751b2

General

Target

SecuriteInfo.com.FileRepMalware.28867.3609.exe
Size

571KB
MD5

b593617f5eff12947ab02c5a41531b58
SHA1

c1b4ae82e976390359e0499ff5e2e4fc80a47ec4
SHA256

790e71d3ed88746fa4d2c5c15ae60a08ff70b6f6a19f78bd8a4a04101e6751b2
SHA512

05eaa7933870f04eb18979975720267f91c286911c8e0727e2d4d3ca259113cfb5027c62b414dc6f75187c6b2cceeac0b74634c2d7a22416cb83277168dfab4d
SSDEEP

12288:UTqrydQ5QqWOvBIHakHMQsnylZV5GurAKyOgRRxyer:UTqeKQqRvB2atQ9ZV5Ge6Ocp

Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.synergyinnovationsgroup.com
Port:
587
Username:
[email protected]
Password:
C@p-Y8BoHc#?
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Loads dropped DLL 6 IoCs

pid	Process
2624	SecuriteInfo.com.FileRepMalware.28867.3609.exe
2624	SecuriteInfo.com.FileRepMalware.28867.3609.exe
2624	SecuriteInfo.com.FileRepMalware.28867.3609.exe
2624	SecuriteInfo.com.FileRepMalware.28867.3609.exe
2624	SecuriteInfo.com.FileRepMalware.28867.3609.exe
2624	SecuriteInfo.com.FileRepMalware.28867.3609.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\avocadodressing\Kreditorsaldi.sto	SecuriteInfo.com.FileRepMalware.28867.3609.exe
File opened for modification	C:\Windows\SysWOW64\Glassliberi130\Combustive.sel	SecuriteInfo.com.FileRepMalware.28867.3609.exe
File created	C:\Windows\SysWOW64\heterogynous\slvtjsskuffen.lnk	SecuriteInfo.com.FileRepMalware.28867.3609.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3140	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2624	SecuriteInfo.com.FileRepMalware.28867.3609.exe
3140	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 3140	2624	SecuriteInfo.com.FileRepMalware.28867.3609.exe	94

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\skolebestyrerens.skj	SecuriteInfo.com.FileRepMalware.28867.3609.exe
File opened for modification	C:\Program Files (x86)\chang.Hek	SecuriteInfo.com.FileRepMalware.28867.3609.exe
File opened for modification	C:\Program Files (x86)\ligningsafdelings\aortas.adi	SecuriteInfo.com.FileRepMalware.28867.3609.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\Fremskaffet53.trs	SecuriteInfo.com.FileRepMalware.28867.3609.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.FileRepMalware.28867.3609.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3140	wab.exe
3140	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2624	SecuriteInfo.com.FileRepMalware.28867.3609.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3140	wab.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 3140	2624	SecuriteInfo.com.FileRepMalware.28867.3609.exe	94
PID 2624 wrote to memory of 3140	2624	SecuriteInfo.com.FileRepMalware.28867.3609.exe	94
PID 2624 wrote to memory of 3140	2624	SecuriteInfo.com.FileRepMalware.28867.3609.exe	94
PID 2624 wrote to memory of 3140	2624	SecuriteInfo.com.FileRepMalware.28867.3609.exe	94
PID 2624 wrote to memory of 3140	2624	SecuriteInfo.com.FileRepMalware.28867.3609.exe	94

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.28867.3609.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.28867.3609.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Program Files (x86)\windows mail\wab.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.28867.3609.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsxCD24.tmp\LangDLL.dll

Filesize
5KB

MD5
014a3be4a7c1ccb217916dbf4f222bd1

SHA1
9b4c41eb0e84886beb5591d8357155e27f9c68ed

SHA256
09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

SHA512
0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxCD24.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
memory/2624-26-0x0000000077591000-0x00000000776B1000-memory.dmp

Filesize
1.1MB

Download
memory/2624-27-0x0000000077591000-0x00000000776B1000-memory.dmp

Filesize
1.1MB

Download
memory/2624-28-0x00000000741E5000-0x00000000741E6000-memory.dmp

Filesize
4KB

Download
memory/3140-34-0x00000000012F0000-0x0000000002544000-memory.dmp

Filesize
18.3MB

Download
memory/3140-39-0x0000000036A00000-0x0000000036A66000-memory.dmp

Filesize
408KB

Download
memory/3140-35-0x0000000077591000-0x00000000776B1000-memory.dmp

Filesize
1.1MB

Download
memory/3140-29-0x0000000077618000-0x0000000077619000-memory.dmp

Filesize
4KB

Download
memory/3140-36-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/3140-37-0x00000000012F0000-0x0000000001330000-memory.dmp

Filesize
256KB

Download
memory/3140-38-0x0000000039070000-0x0000000039614000-memory.dmp

Filesize
5.6MB

Download
memory/3140-30-0x0000000077635000-0x0000000077636000-memory.dmp

Filesize
4KB

Download
memory/3140-40-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/3140-42-0x0000000038DE0000-0x0000000038E30000-memory.dmp

Filesize
320KB

Download
memory/3140-43-0x0000000038ED0000-0x0000000038F62000-memory.dmp

Filesize
584KB

Download
memory/3140-44-0x0000000038E30000-0x0000000038E3A000-memory.dmp

Filesize
40KB

Download
memory/3140-45-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/3140-46-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing