agenttesla | eec8c10e557878b327ee9e50e7b87a8205949a30775d792ea6b24b427ed01bae

General

Target

ui.exe
Size

3.8MB
MD5

3569910289e6b0091cebcd43b30d93e4
SHA1

bfed29dd51e28326e17f938ddb5ff59f84aac622
SHA256

eec8c10e557878b327ee9e50e7b87a8205949a30775d792ea6b24b427ed01bae
SHA512

7e6af73b5fafd6edfca3a76ef00f8b6db0d9ff6be317f1cedb5003893d9fe31041963145ee77953c1ccebe967e3d83b216615d26a0e5ee8c1e3c8826093d9b7e
SSDEEP

98304:ZPnQZWNbNHjSZEGECRLpXa+0BmoatvfnagX/tbBhlD:eWNbNHbGEC9U78onGtjl

Score

10^/10

agenttesla xworm execution keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

C2

lijaligibidu-35558.portmap.host:35558

Attributes

Install_directory
%AppData%
install_file
Windows Security.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2868-14-0x0000000000BA0000-0x0000000000BB8000-memory.dmp	family_xworm
behavioral1/files/0x0008000000015d6e-13.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/2764-18-0x000000001B9D0000-0x000000001BBE6000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1200	powershell.exe
2284	powershell.exe
2488	powershell.exe
760	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.lnk	WindowsSecurity.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.lnk	WindowsSecurity.exe

Executes dropped EXE 2 IoCs

pid	Process
2764	ui.exe
2868	WindowsSecurity.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ui.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	ui.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	ui.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1200	powershell.exe
2284	powershell.exe
2488	powershell.exe
760	powershell.exe
2868	WindowsSecurity.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	WindowsSecurity.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	2868	WindowsSecurity.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2868	WindowsSecurity.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2764	3032	ui.exe	30
PID 3032 wrote to memory of 2764	3032	ui.exe	30
PID 3032 wrote to memory of 2764	3032	ui.exe	30
PID 3032 wrote to memory of 2868	3032	ui.exe	31
PID 3032 wrote to memory of 2868	3032	ui.exe	31
PID 3032 wrote to memory of 2868	3032	ui.exe	31
PID 2868 wrote to memory of 1200	2868	WindowsSecurity.exe	33
PID 2868 wrote to memory of 1200	2868	WindowsSecurity.exe	33
PID 2868 wrote to memory of 1200	2868	WindowsSecurity.exe	33
PID 2868 wrote to memory of 2284	2868	WindowsSecurity.exe	35
PID 2868 wrote to memory of 2284	2868	WindowsSecurity.exe	35
PID 2868 wrote to memory of 2284	2868	WindowsSecurity.exe	35
PID 2868 wrote to memory of 2488	2868	WindowsSecurity.exe	37
PID 2868 wrote to memory of 2488	2868	WindowsSecurity.exe	37
PID 2868 wrote to memory of 2488	2868	WindowsSecurity.exe	37
PID 2868 wrote to memory of 760	2868	WindowsSecurity.exe	39
PID 2868 wrote to memory of 760	2868	WindowsSecurity.exe	39
PID 2868 wrote to memory of 760	2868	WindowsSecurity.exe	39

C:\Users\Admin\AppData\Local\Temp\ui.exe
"C:\Users\Admin\AppData\Local\Temp\ui.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Roaming\ui.exe
  "C:\Users\Admin\AppData\Roaming\ui.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:2764
- C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
  "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Security.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6c9d02f9bc36926ab5159e92b8f8eeaf

SHA1
ddd2f1d7860d2e75e8e68c0f50a43f698492dd87

SHA256
aa29ca78b3617b7c30ad5bcc25de17203b94dc090f6566827d1e035700aab544

SHA512
a317b156bf0bd8ff168b6199414b1c1d1c9c322e5994101d66bec9d4ca5f88e231c7df0bf6ba313ad0816ea4cbcb538ec9fd2cbdd47f2618657c2532ff052d06

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe

Filesize
75KB

MD5
cf219a189dae4a022f26dd58cd5367e6

SHA1
76c2e7b756e894afc4e5fd7267fce398d58c518f

SHA256
725c0bcdb953e39e96a0192d2712b261541647259e494c583d19697a10d2ffbe

SHA512
21dc7cdd5ea07be708a5c696708207a1760851d2fbb608969254a8f3e806bbb87b6b27a4d5f4cecf1b5d90f6fc81759fd9f6222ddafdb955d41b0333ea085f1f

Download Submit
C:\Users\Admin\AppData\Roaming\ui.exe

Filesize
3.8MB

MD5
4d0438297aedcf3351e2399ee7b9a034

SHA1
6b37d1a0f585c6b056b98196c13662a588d3f5e6

SHA256
fe4845b2f864fa1f62d04e185237aa7434d031072e601a1b5e3acee09dc66e91

SHA512
60d85bf1ad55302ab94baa30137a00eff52d08faaffe18f0a098998d11fd79cfd4ad4bc220f2565b076bd44022ae44532cc78035d46dc8bddbf6f461ab16c5a0

Download Submit
memory/1200-23-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1200-24-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2284-31-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2284-30-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2764-16-0x000000001B1C0000-0x000000001B30E000-memory.dmp

Filesize
1.3MB

Download
memory/2764-18-0x000000001B9D0000-0x000000001BBE6000-memory.dmp

Filesize
2.1MB

Download
memory/2764-17-0x00000000002C0000-0x00000000002D4000-memory.dmp

Filesize
80KB

Download
memory/2764-15-0x0000000000F10000-0x00000000012D8000-memory.dmp

Filesize
3.8MB

Download
memory/2868-14-0x0000000000BA0000-0x0000000000BB8000-memory.dmp

Filesize
96KB

Download
memory/3032-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/3032-1-0x0000000000220000-0x00000000005FC000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing