agenttesla | 3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-09-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe
Size

973KB
MD5

5c476a26f9288899b8c5df769549dc3b
SHA1

cb7794062569e0ca10e1588fbc454b6ba0f59f37
SHA256

3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86
SHA512

56e415db49c949d1853e92f0626e95413d194e38c21fc8bc59809f76c73ef3d634ac9bde868a8328971706797a103e2955102e00945d736451e1fd6af657536c
SSDEEP

24576:YCXTaMLTuPwXGHCiNN41J9hAd+nl7InbXwjrET3Xyy/vh0:YCjo+91dAd+l/jfuh0

Score

10^/10

agenttesla redline bigpay credential_access discovery execution infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
manlikeyou88
Email To:
[email protected]

Extracted

Family

redline

Botnet

bigpay

204.10.160.140:7001

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000193d5-44.dat	family_redline
behavioral1/memory/1948-49-0x0000000000BD0000-0x0000000000C22000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2032	powershell.exe
2340	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2296	newfile.exe
1948	build.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	RegSvcs.exe
1720	RegSvcs.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2272 set thread context of 1720	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2340	powershell.exe
2032	powershell.exe
2296	newfile.exe
2296	newfile.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2296	newfile.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2340	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	31
PID 2272 wrote to memory of 2340	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	31
PID 2272 wrote to memory of 2340	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	31
PID 2272 wrote to memory of 2340	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	31
PID 2272 wrote to memory of 2032	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	33
PID 2272 wrote to memory of 2032	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	33
PID 2272 wrote to memory of 2032	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	33
PID 2272 wrote to memory of 2032	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	33
PID 2272 wrote to memory of 2736	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	35
PID 2272 wrote to memory of 2736	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	35
PID 2272 wrote to memory of 2736	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	35
PID 2272 wrote to memory of 2736	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	35
PID 2272 wrote to memory of 1720	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	37
PID 2272 wrote to memory of 1720	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	37
PID 2272 wrote to memory of 1720	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	37
PID 2272 wrote to memory of 1720	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	37
PID 2272 wrote to memory of 1720	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	37
PID 2272 wrote to memory of 1720	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	37
PID 2272 wrote to memory of 1720	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	37
PID 2272 wrote to memory of 1720	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	37
PID 2272 wrote to memory of 1720	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	37
PID 2272 wrote to memory of 1720	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	37
PID 2272 wrote to memory of 1720	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	37
PID 2272 wrote to memory of 1720	2272	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	37
PID 1720 wrote to memory of 2296	1720	RegSvcs.exe	38
PID 1720 wrote to memory of 2296	1720	RegSvcs.exe	38
PID 1720 wrote to memory of 2296	1720	RegSvcs.exe	38
PID 1720 wrote to memory of 2296	1720	RegSvcs.exe	38
PID 1720 wrote to memory of 1948	1720	RegSvcs.exe	39
PID 1720 wrote to memory of 1948	1720	RegSvcs.exe	39
PID 1720 wrote to memory of 1948	1720	RegSvcs.exe	39
PID 1720 wrote to memory of 1948	1720	RegSvcs.exe	39

C:\Users\Admin\AppData\Local\Temp\3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe
"C:\Users\Admin\AppData\Local\Temp\3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tSYPqhw.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tSYPqhw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF2C8.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\newfile.exe
    "C:\Users\Admin\AppData\Local\Temp\newfile.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF2C8.tmp

Filesize
1KB

MD5
f09d11f18bfa868c411ec8d0b22c7bbd

SHA1
1c730b32ac21ceef8ece699226ba2eb8f2db173a

SHA256
37880667fd2edc000456a6877cbc724d7ff933f6f34fdf16d000511ece47bd69

SHA512
3ae98ec4c39394513b6501116ef98d9241c20c53f35997d7ea78344e65af5a6839f2c0eb017180b5afa8770bf01ab93f919b1de6019dfc6db685458f0a8e285a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KNR6CL6B2T7TLJJH0CXT.temp

Filesize
7KB

MD5
a24d7bd78e0fd3664dbea7d97dbd4e38

SHA1
6927a61a64f97fdf993f77ae84f8321810e46ee9

SHA256
bc67199a1c85a6caecc9507d3a026969c76abfbd5fcbf85e05f2d8ad2f32c321

SHA512
c5d1d24c3848e6359d973043fde1461ab85642035a3828f9dab088b91e88ed8d0f43513ce987588135af41104de17cb3ef7022fc206e8f4fb7d445e8ee2baecc

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe

Filesize
300KB

MD5
f438d85cb04ea1b9fa4e32cfd4b28d0f

SHA1
3a0dd7cd2036b41fb5982e98c798802f8af619ac

SHA256
fada9b55d3b3995f6bddb357370843fced984832063945eac08b6eb182fced52

SHA512
e21c8b975c3a5de7500ffd4dc97e8a3062ce4314bf749df5ab3c9f09bbc9f94324afca9149ee11769efd5e76971b0e67baf39c3961f3a1dfec8596c20fa7069b

Download Submit
\Users\Admin\AppData\Local\Temp\newfile.exe

Filesize
234KB

MD5
8234c3ec3aba620ca36e9d5629e3db74

SHA1
09d5b639a270fb4cbf45b2b454db96cc1035a768

SHA256
acff54dc41a4f979a5054bc43649e097472904293fa9c4d23048b30a57bc3149

SHA512
651c26e080b704189266ecb1daca88d1a3f4e67075f362055bd57b1bea52dbb181c299129b503b8674e9c89af5c1455a03abcf7ad417ed8cbbc7c0f7311f6c16

Download Submit
memory/1720-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1720-24-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1720-26-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1720-29-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1720-32-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1720-30-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1720-20-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1720-22-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1948-49-0x0000000000BD0000-0x0000000000C22000-memory.dmp

Filesize
328KB

Download
memory/2272-3-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2272-4-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/2272-7-0x00000000050B0000-0x0000000005180000-memory.dmp

Filesize
832KB

Download
memory/2272-0-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/2272-6-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/2272-5-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2272-34-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2272-2-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2272-1-0x0000000000C30000-0x0000000000D24000-memory.dmp

Filesize
976KB

Download
memory/2296-42-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download