agenttesla | 3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86

Analysis

max time kernel
142s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe
Size

973KB
MD5

5c476a26f9288899b8c5df769549dc3b
SHA1

cb7794062569e0ca10e1588fbc454b6ba0f59f37
SHA256

3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86
SHA512

56e415db49c949d1853e92f0626e95413d194e38c21fc8bc59809f76c73ef3d634ac9bde868a8328971706797a103e2955102e00945d736451e1fd6af657536c
SSDEEP

24576:YCXTaMLTuPwXGHCiNN41J9hAd+nl7InbXwjrET3Xyy/vh0:YCjo+91dAd+l/jfuh0

Score

10^/10

agenttesla redline bigpay credential_access discovery execution infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
manlikeyou88
Email To:
[email protected]

Extracted

Family

redline

Botnet

bigpay

204.10.160.140:7001

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015cf8-44.dat	family_redline
behavioral1/memory/2176-49-0x0000000001370000-0x00000000013C2000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2564	powershell.exe
2780	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2252	newfile.exe
2176	build.exe

Loads dropped DLL 2 IoCs

pid	Process
2244	RegSvcs.exe
2244	RegSvcs.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 2244	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2252	newfile.exe
2252	newfile.exe
2564	powershell.exe
2780	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	newfile.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2564	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	30
PID 2688 wrote to memory of 2564	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	30
PID 2688 wrote to memory of 2564	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	30
PID 2688 wrote to memory of 2564	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	30
PID 2688 wrote to memory of 2780	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	32
PID 2688 wrote to memory of 2780	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	32
PID 2688 wrote to memory of 2780	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	32
PID 2688 wrote to memory of 2780	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	32
PID 2688 wrote to memory of 2580	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	33
PID 2688 wrote to memory of 2580	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	33
PID 2688 wrote to memory of 2580	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	33
PID 2688 wrote to memory of 2580	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	33
PID 2688 wrote to memory of 2244	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	36
PID 2688 wrote to memory of 2244	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	36
PID 2688 wrote to memory of 2244	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	36
PID 2688 wrote to memory of 2244	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	36
PID 2688 wrote to memory of 2244	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	36
PID 2688 wrote to memory of 2244	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	36
PID 2688 wrote to memory of 2244	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	36
PID 2688 wrote to memory of 2244	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	36
PID 2688 wrote to memory of 2244	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	36
PID 2688 wrote to memory of 2244	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	36
PID 2688 wrote to memory of 2244	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	36
PID 2688 wrote to memory of 2244	2688	3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe	36
PID 2244 wrote to memory of 2252	2244	RegSvcs.exe	37
PID 2244 wrote to memory of 2252	2244	RegSvcs.exe	37
PID 2244 wrote to memory of 2252	2244	RegSvcs.exe	37
PID 2244 wrote to memory of 2252	2244	RegSvcs.exe	37
PID 2244 wrote to memory of 2176	2244	RegSvcs.exe	38
PID 2244 wrote to memory of 2176	2244	RegSvcs.exe	38
PID 2244 wrote to memory of 2176	2244	RegSvcs.exe	38
PID 2244 wrote to memory of 2176	2244	RegSvcs.exe	38

C:\Users\Admin\AppData\Local\Temp\3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe
"C:\Users\Admin\AppData\Local\Temp\3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tSYPqhw.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tSYPqhw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B10.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\newfile.exe
    "C:\Users\Admin\AppData\Local\Temp\newfile.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\newfile.exe

Filesize
234KB

MD5
8234c3ec3aba620ca36e9d5629e3db74

SHA1
09d5b639a270fb4cbf45b2b454db96cc1035a768

SHA256
acff54dc41a4f979a5054bc43649e097472904293fa9c4d23048b30a57bc3149

SHA512
651c26e080b704189266ecb1daca88d1a3f4e67075f362055bd57b1bea52dbb181c299129b503b8674e9c89af5c1455a03abcf7ad417ed8cbbc7c0f7311f6c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B10.tmp

Filesize
1KB

MD5
b3c1748e95116414ab384e296bc9c5eb

SHA1
649cafa6b7a0bf6907dfb64054d3abd917924b8a

SHA256
b9a5b3a97f128c5c3af5aae4ec2d1b25b257e5300eb9277dfad4633f064d8a39

SHA512
ba876141921ccdab4de0539756cb033cda07f457c113a58e505b61fda379fc38b71811bcda1e11eb3e009d09b33d2b34b8dddf4672347d5d5b243a8915bd5aba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RK2SXT6H87HTZVD7ICIF.temp

Filesize
7KB

MD5
7f57ba2798607d4e14ab12ad7a63b492

SHA1
0930d992c7a8079b6e117cbad1c365f93d0c4e2b

SHA256
0dc63072da10fa97d6d25755f62fe6f6560f79743dde8972bb90113f3913410a

SHA512
4dad7f32c2dab528d0fbdcd851ca179256b93470a90239d839c653eb8e50d6cbc8da01f8f8c3be999b97d0a3e27bea30f0f7df1b3ce085917d540275f2e62fe5

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe

Filesize
300KB

MD5
f438d85cb04ea1b9fa4e32cfd4b28d0f

SHA1
3a0dd7cd2036b41fb5982e98c798802f8af619ac

SHA256
fada9b55d3b3995f6bddb357370843fced984832063945eac08b6eb182fced52

SHA512
e21c8b975c3a5de7500ffd4dc97e8a3062ce4314bf749df5ab3c9f09bbc9f94324afca9149ee11769efd5e76971b0e67baf39c3961f3a1dfec8596c20fa7069b

Download Submit
memory/2176-49-0x0000000001370000-0x00000000013C2000-memory.dmp

Filesize
328KB

Download
memory/2244-26-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2244-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2244-22-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2244-24-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2244-32-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2244-20-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2244-29-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2244-30-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2252-42-0x00000000013C0000-0x0000000001400000-memory.dmp

Filesize
256KB

Download
memory/2688-4-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/2688-6-0x0000000000A90000-0x0000000000A9E000-memory.dmp

Filesize
56KB

Download
memory/2688-0-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/2688-5-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2688-7-0x0000000005230000-0x0000000005300000-memory.dmp

Filesize
832KB

Download
memory/2688-34-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2688-3-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/2688-2-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2688-1-0x0000000001300000-0x00000000013F4000-memory.dmp

Filesize
976KB

Download