agenttesla | d9f4242482c295b7d65dd05b6f19a8d97e2c531cc2f84708b85cd176ba830615

General

Target

GHF0987654678023.exe
Size

551KB
MD5

8039843db211432bcc15e74c1e8c6da6
SHA1

576def6d2d028b443e4eeacbad28ae8b153b5147
SHA256

d9f4242482c295b7d65dd05b6f19a8d97e2c531cc2f84708b85cd176ba830615
SHA512

b80ff9427dfb0063a7cd6bddc6324cd71bd0b6aa328be35f419e438f3c79e2fcd677130743687c9a4f3762787de080a13360cba78d4410e46e1e43522c230d67
SSDEEP

12288:FYV6MorX7qzuC3QHO9FQVHPF51jgc3cSzl3VY9Pj:6BXu9HGaVH3tx3VY9Pj

Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.antoniomayol.com:21
Port:
21
Username:
[email protected]
Password:
cMhKDQUk1{;%

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\renownedness.vbs	renownedness.exe

Executes dropped EXE 1 IoCs

pid	Process
852	renownedness.exe

Loads dropped DLL 1 IoCs

pid	Process
2448	GHF0987654678023.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2448-0-0x0000000000940000-0x0000000000A81000-memory.dmp	upx
behavioral1/files/0x0007000000016141-14.dat	upx
behavioral1/memory/2448-16-0x0000000002610000-0x0000000002751000-memory.dmp	upx
behavioral1/memory/2448-20-0x0000000000940000-0x0000000000A81000-memory.dmp	upx
behavioral1/memory/852-21-0x0000000001360000-0x00000000014A1000-memory.dmp	upx
behavioral1/memory/852-48-0x0000000001360000-0x00000000014A1000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2448-20-0x0000000000940000-0x0000000000A81000-memory.dmp	autoit_exe
behavioral1/memory/852-21-0x0000000001360000-0x00000000014A1000-memory.dmp	autoit_exe
behavioral1/memory/852-48-0x0000000001360000-0x00000000014A1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 852 set thread context of 2112	852	renownedness.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GHF0987654678023.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	renownedness.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2112	RegSvcs.exe
2112	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
852	renownedness.exe
852	renownedness.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2448	GHF0987654678023.exe
2448	GHF0987654678023.exe
852	renownedness.exe
852	renownedness.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2448	GHF0987654678023.exe
2448	GHF0987654678023.exe
852	renownedness.exe
852	renownedness.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 852	2448	GHF0987654678023.exe	31
PID 2448 wrote to memory of 852	2448	GHF0987654678023.exe	31
PID 2448 wrote to memory of 852	2448	GHF0987654678023.exe	31
PID 2448 wrote to memory of 852	2448	GHF0987654678023.exe	31
PID 852 wrote to memory of 2112	852	renownedness.exe	32
PID 852 wrote to memory of 2112	852	renownedness.exe	32
PID 852 wrote to memory of 2112	852	renownedness.exe	32
PID 852 wrote to memory of 2112	852	renownedness.exe	32
PID 852 wrote to memory of 2112	852	renownedness.exe	32
PID 852 wrote to memory of 2112	852	renownedness.exe	32
PID 852 wrote to memory of 2112	852	renownedness.exe	32
PID 852 wrote to memory of 2112	852	renownedness.exe	32

C:\Users\Admin\AppData\Local\Temp\GHF0987654678023.exe
"C:\Users\Admin\AppData\Local\Temp\GHF0987654678023.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\unprickled\renownedness.exe
  "C:\Users\Admin\AppData\Local\Temp\GHF0987654678023.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\GHF0987654678023.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Thebit

Filesize
203KB

MD5
eef7d56fb043e4ab455c7b31a54ef550

SHA1
662d187a6e6e8bdf91489beef12666739a01c97a

SHA256
89720a5dc24ff2bdb9f031ea88e546604d3f1dc28d6263f88a0d387d92b9a2a5

SHA512
cd185f3fe014a49dc38dc24f6619f1488cc7997d905366049f1d5704177faa18fd19014fba4728a3800a07d5386d89f9ab8723b00b41722febe4f3a9ec712c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\complacence

Filesize
239KB

MD5
349f729f418bc5ab0c444f36d713e943

SHA1
c5afaaff066633353c889e3636ff56ef195894eb

SHA256
08ee869479eb2667cef9e43f4463b42fafc3fb33efe29f7645155a05039e1be2

SHA512
4e30cb95bcf94d71167d16c65e7c9f590f5e983ec2ef9b5b45b3131fec6a7b76a4ba44778da8b3e99c13f2b65dca5a9e8d48c7d402444183b013b5009ed6d8f2

Download Submit
\Users\Admin\AppData\Local\unprickled\renownedness.exe

Filesize
551KB

MD5
8039843db211432bcc15e74c1e8c6da6

SHA1
576def6d2d028b443e4eeacbad28ae8b153b5147

SHA256
d9f4242482c295b7d65dd05b6f19a8d97e2c531cc2f84708b85cd176ba830615

SHA512
b80ff9427dfb0063a7cd6bddc6324cd71bd0b6aa328be35f419e438f3c79e2fcd677130743687c9a4f3762787de080a13360cba78d4410e46e1e43522c230d67

Download Submit
memory/852-21-0x0000000001360000-0x00000000014A1000-memory.dmp

Filesize
1.3MB

Download
memory/852-48-0x0000000001360000-0x00000000014A1000-memory.dmp

Filesize
1.3MB

Download
memory/2112-37-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/2112-47-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/2112-43-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/2112-40-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/2112-49-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/2112-50-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-51-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/2112-52-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2448-20-0x0000000000940000-0x0000000000A81000-memory.dmp

Filesize
1.3MB

Download
memory/2448-16-0x0000000002610000-0x0000000002751000-memory.dmp

Filesize
1.3MB

Download
memory/2448-0-0x0000000000940000-0x0000000000A81000-memory.dmp

Filesize
1.3MB

Download
memory/2448-12-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing