agenttesla | f8e0c40c73b254fabb324d43f617db47f3d1d82c44c4802d66d2949623eab44b

General

Target

RFQ-Al NASR-00388.exe
Size

1.4MB
MD5

a1a7b97334260279dd501040e0d8716c
SHA1

c3aa5d13b6008b5d44084f53eedc524b77730eb2
SHA256

8504a16c9bdf57fb23adb5346dd748e53c828472eed8c59d38159f33a3fa112a
SHA512

fcf9a3923a34dafc09240eb2031a7e35508a40c7547907883717183b833751357c9f2792fb6eb7b1ab2ccc23c6094523e49c76cdb5e0a901631190e4d6c3c513
SSDEEP

12288:jiQyGxHB+0zSaBBg4E/r1wG1OVW2yc5XzaNnfFiCJ47/Z/hS5ZkMvwYV4:mQyehHzSgBrET1BeeIzaNfMZpDtR

Score

10^/10

agenttesla credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
uy,o#mZj8$lY

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
uy,o#mZj8$lY

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\newapp = "C:\\Users\\Admin\\AppData\\Roaming\\newapp\\newapp.exe"	CasPol.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 2688	2488	RFQ-Al NASR-00388.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2688	CasPol.exe
2688	CasPol.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2688	CasPol.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2688	2488	RFQ-Al NASR-00388.exe	30
PID 2488 wrote to memory of 2688	2488	RFQ-Al NASR-00388.exe	30
PID 2488 wrote to memory of 2688	2488	RFQ-Al NASR-00388.exe	30
PID 2488 wrote to memory of 2688	2488	RFQ-Al NASR-00388.exe	30
PID 2488 wrote to memory of 2688	2488	RFQ-Al NASR-00388.exe	30
PID 2488 wrote to memory of 2688	2488	RFQ-Al NASR-00388.exe	30
PID 2488 wrote to memory of 2688	2488	RFQ-Al NASR-00388.exe	30
PID 2488 wrote to memory of 2688	2488	RFQ-Al NASR-00388.exe	30
PID 2488 wrote to memory of 2688	2488	RFQ-Al NASR-00388.exe	30
PID 2488 wrote to memory of 2772	2488	RFQ-Al NASR-00388.exe	31
PID 2488 wrote to memory of 2772	2488	RFQ-Al NASR-00388.exe	31
PID 2488 wrote to memory of 2772	2488	RFQ-Al NASR-00388.exe	31

C:\Users\Admin\AppData\Local\Temp\RFQ-Al NASR-00388.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-Al NASR-00388.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2688
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2488 -s 656
  2⤵
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2488-0-0x000007FEF4EE3000-0x000007FEF4EE4000-memory.dmp

Filesize
4KB

Download
memory/2488-1-0x0000000001260000-0x0000000001290000-memory.dmp

Filesize
192KB

Download
memory/2488-2-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp

Filesize
9.9MB

Download
memory/2488-3-0x0000000000990000-0x0000000000A26000-memory.dmp

Filesize
600KB

Download
memory/2488-23-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp

Filesize
9.9MB

Download
memory/2488-22-0x000007FEF4EE3000-0x000007FEF4EE4000-memory.dmp

Filesize
4KB

Download
memory/2688-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-13-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-6-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-18-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2688-19-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2688-10-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-24-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2688-25-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads