agenttesla | f9e94eefacf735262bab9027a62749330de11c1140c3494355fc2873d20ae211

General

Target

ORDER LİSTESİ 3.exe
Size

58KB
MD5

04140d43f8950a9f31832b98f1fee497
SHA1

99b9c1fc286a5f8680d7256488a1b8289bc63f7b
SHA256

e34846ea6a307cbb749dcf880d83378a592e87b658dd30b4a761e561df78194c
SHA512

50ac9b7b208688679157a3c058fe2a46ed4cc9e24d2972c252c10c7c62e629448ece8d7dda8b130990273e57f02ccbc7a60a4b1de535472a925b11316949217e
SSDEEP

1536:KQ5Wjncz4iijM3CEF/7GmqbMY7usiY9hkX:r5Wjcz4iiA7GmCMY7pdkX

Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.zqamcx.com
Port:
587
Username:
[email protected]
Password:
Anambraeast@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 960 set thread context of 1124	960	ORDER LİSTESİ 3.exe	95

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDER LİSTESİ 3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
960	ORDER LİSTESİ 3.exe
960	ORDER LİSTESİ 3.exe
960	ORDER LİSTESİ 3.exe
960	ORDER LİSTESİ 3.exe
1124	aspnet_compiler.exe
1124	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	960	ORDER LİSTESİ 3.exe
Token: SeDebugPrivilege	1124	aspnet_compiler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1124	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1620	960	ORDER LİSTESİ 3.exe	93
PID 960 wrote to memory of 1620	960	ORDER LİSTESİ 3.exe	93
PID 960 wrote to memory of 1620	960	ORDER LİSTESİ 3.exe	93
PID 960 wrote to memory of 2580	960	ORDER LİSTESİ 3.exe	94
PID 960 wrote to memory of 2580	960	ORDER LİSTESİ 3.exe	94
PID 960 wrote to memory of 2580	960	ORDER LİSTESİ 3.exe	94
PID 960 wrote to memory of 1124	960	ORDER LİSTESİ 3.exe	95
PID 960 wrote to memory of 1124	960	ORDER LİSTESİ 3.exe	95
PID 960 wrote to memory of 1124	960	ORDER LİSTESİ 3.exe	95
PID 960 wrote to memory of 1124	960	ORDER LİSTESİ 3.exe	95
PID 960 wrote to memory of 1124	960	ORDER LİSTESİ 3.exe	95
PID 960 wrote to memory of 1124	960	ORDER LİSTESİ 3.exe	95
PID 960 wrote to memory of 1124	960	ORDER LİSTESİ 3.exe	95
PID 960 wrote to memory of 1124	960	ORDER LİSTESİ 3.exe	95

C:\Users\Admin\AppData\Local\Temp\ORDER LİSTESİ 3.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER LİSTESİ 3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-9-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/960-4-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/960-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/960-3-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/960-1-0x00000000008F0000-0x0000000000904000-memory.dmp

Filesize
80KB

Download
memory/960-5-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/960-6-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/960-2-0x0000000005100000-0x0000000005108000-memory.dmp

Filesize
32KB

Download
memory/1124-11-0x0000000005DB0000-0x0000000006354000-memory.dmp

Filesize
5.6MB

Download
memory/1124-10-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/1124-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1124-12-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/1124-13-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/1124-14-0x0000000006B40000-0x0000000006B90000-memory.dmp

Filesize
320KB

Download
memory/1124-15-0x0000000006C30000-0x0000000006CC2000-memory.dmp

Filesize
584KB

Download
memory/1124-16-0x0000000006DD0000-0x0000000006DDA000-memory.dmp

Filesize
40KB

Download
memory/1124-17-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing