agenttesla | 8b8b3f8f54abd3b9b6b2620362f5e0773f9859ae468fdd4c816797b261b50ea0

General

Target

avanss.exe
Size

75KB
MD5

c4c8795510f78d2251f0b746d46429b5
SHA1

2caf2fc8895b7a88c32281bdeff3ce7fb298d6bf
SHA256

8b8b3f8f54abd3b9b6b2620362f5e0773f9859ae468fdd4c816797b261b50ea0
SHA512

4ab80bc55a1fc2cfde22545799a27004bbfd0fcc4d106daff6fd1589708f5d82d1a9b4361395dc2a90155a97efa2ec56c9c7703844f9af807274ec91edcc4e97
SSDEEP

1536:4Ub2to+b4SFSN007ZxgOzdupbj4VQ3aDwFd:4Ub2trb4SQNl3Vq3aDa

Score

10^/10

agenttesla credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtps.aruba.it
Port:
587
Username:
[email protected]
Password:
Franco2016!

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtps.aruba.it
Port:
587
Username:
[email protected]
Password:
Franco2016!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avanss = "C:\\Users\\Admin\\Documents\\avanss.pif"	reg.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	api.ipify.org
27	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1308 set thread context of 4044	1308	avanss.exe	100

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avanss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avanss.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
1308	avanss.exe
4044	avanss.exe
4044	avanss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	avanss.exe
Token: SeDebugPrivilege	4044	avanss.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 3652	1308	avanss.exe	85
PID 1308 wrote to memory of 3652	1308	avanss.exe	85
PID 1308 wrote to memory of 3652	1308	avanss.exe	85
PID 3652 wrote to memory of 4520	3652	csc.exe	87
PID 3652 wrote to memory of 4520	3652	csc.exe	87
PID 3652 wrote to memory of 4520	3652	csc.exe	87
PID 1308 wrote to memory of 4104	1308	avanss.exe	95
PID 1308 wrote to memory of 4104	1308	avanss.exe	95
PID 1308 wrote to memory of 4104	1308	avanss.exe	95
PID 4104 wrote to memory of 1908	4104	cmd.exe	97
PID 4104 wrote to memory of 1908	4104	cmd.exe	97
PID 4104 wrote to memory of 1908	4104	cmd.exe	97
PID 1308 wrote to memory of 776	1308	avanss.exe	98
PID 1308 wrote to memory of 776	1308	avanss.exe	98
PID 1308 wrote to memory of 776	1308	avanss.exe	98
PID 1308 wrote to memory of 4044	1308	avanss.exe	100
PID 1308 wrote to memory of 4044	1308	avanss.exe	100
PID 1308 wrote to memory of 4044	1308	avanss.exe	100
PID 1308 wrote to memory of 4044	1308	avanss.exe	100
PID 1308 wrote to memory of 4044	1308	avanss.exe	100
PID 1308 wrote to memory of 4044	1308	avanss.exe	100
PID 1308 wrote to memory of 4044	1308	avanss.exe	100
PID 1308 wrote to memory of 4044	1308	avanss.exe	100

C:\Users\Admin\AppData\Local\Temp\avanss.exe
"C:\Users\Admin\AppData\Local\Temp\avanss.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ieae20ou\ieae20ou.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62B1.tmp" "c:\Users\Admin\AppData\Local\Temp\ieae20ou\CSCA53B7C35FF5C49F28E63B4B2882AAFA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "avanss" /t REG_SZ /F /D "C:\Users\Admin\Documents\avanss.pif"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "avanss" /t REG_SZ /F /D "C:\Users\Admin\Documents\avanss.pif"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\avanss.exe" "C:\Users\Admin\Documents\avanss.pif"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:776
- C:\Users\Admin\AppData\Local\Temp\avanss.exe
  "C:\Users\Admin\AppData\Local\Temp\avanss.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\avanss.exe.log

Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES62B1.tmp

Filesize
1KB

MD5
25022c372ca47a9a8f05ffbe13366de4

SHA1
4666d66c11b87faebb6fe2c25efaf2623964dfe6

SHA256
b401da779d93e42b59916decd7be6301ed5d2dfe0ee9559ff4a9b4973d2c59a6

SHA512
c85e8dd72a50d1d45df098c025adf1734247059247a6d7fade58e2e34c0110676f578762b96621af35c41e37daa43208f0e7ee1209525780774019df5f406a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieae20ou\ieae20ou.dll

Filesize
4KB

MD5
b3a20b30595ebcd852342c30369d9ad0

SHA1
d97d02aedb3b97d8667c44431ff70856c2117fd7

SHA256
84dd588f842add833a42bc0a71d86c4185237dd14a9c22f9afb12bf931a84384

SHA512
142529f4c4a98d927cfc24666d982f119249333a14c661fc5b83555dd7e9fd2da0800b82865e62f492fbc48806a3ac9420f5fb4b8e21572a62ae9d40988a82f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ieae20ou\CSCA53B7C35FF5C49F28E63B4B2882AAFA.TMP

Filesize
652B

MD5
c244de78f54fa0ad621e8d8650445acd

SHA1
dedf9a6a83ef4640617b1423099b8dce59f93530

SHA256
00f8ef3dbabd3e46c6022e0e716530adba600ec51ed03adc6c2f56f471435910

SHA512
c94387b57e6d7e5bf616730b3192bff12954d90a82b89716f33448d72cc72be8ab34b578427b2cc59404c78a561787a245cde0a7b9dbfa65d92bd4554cd07943

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ieae20ou\ieae20ou.0.cs

Filesize
831B

MD5
3a7abcbcc7e75d02c2ba87ab984253e0

SHA1
6eda407060d6911209932243d0fdbb19a33d0f25

SHA256
2faf96d04d71543170b4e2cd0fee9cca3183040c85cd56dcbfeac7711da99ad2

SHA512
1100076754edbb7a4e0597d4288237e9fbfe4fd7832d67f2100fb1b7a1c47375613058b2659682442ce3cbe918a3b88f2c30951e9ab9d63e4bfc504df50a6ecc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ieae20ou\ieae20ou.cmdline

Filesize
270B

MD5
bbfe7004a2f0416354e259243690bfb1

SHA1
a0a2778dd2aa12dac5c0465d9d2ee5aa7e29921b

SHA256
43c8be0619712a94236467257809635c238a411ea8d09d1fd8931bfa9b53a915

SHA512
b9019c46ef1afa8fc2ba83ef722830867e217b34e1fffcd98b1dc935b97c9140c63de28b2a2e36856d4331dbb432fa1ee98f17e70c85fa6f73e98d837988718c

Download Submit
memory/1308-5-0x0000000004B40000-0x0000000004B4A000-memory.dmp

Filesize
40KB

Download
memory/1308-21-0x0000000074E5E000-0x0000000074E5F000-memory.dmp

Filesize
4KB

Download
memory/1308-4-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/1308-3-0x0000000004A90000-0x0000000004B22000-memory.dmp

Filesize
584KB

Download
memory/1308-2-0x0000000005040000-0x00000000055E4000-memory.dmp

Filesize
5.6MB

Download
memory/1308-18-0x0000000006250000-0x0000000006258000-memory.dmp

Filesize
32KB

Download
memory/1308-20-0x0000000007810000-0x0000000007886000-memory.dmp

Filesize
472KB

Download
memory/1308-0-0x0000000074E5E000-0x0000000074E5F000-memory.dmp

Filesize
4KB

Download
memory/1308-22-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/1308-23-0x0000000007A70000-0x0000000007B0C000-memory.dmp

Filesize
624KB

Download
memory/1308-24-0x0000000007B10000-0x0000000007B76000-memory.dmp

Filesize
408KB

Download
memory/1308-30-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/1308-1-0x0000000000080000-0x0000000000098000-memory.dmp

Filesize
96KB

Download
memory/4044-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4044-31-0x00000000065D0000-0x0000000006620000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads