agenttesla | e237c49f7a3930001d9163e5a013e6f8c5a11e7780ac300ae90c815ebe06c3b7

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ebefcd83437e578e4bb058263229340N.exe
Size

967KB
MD5

9ebefcd83437e578e4bb058263229340
SHA1

e9747db002168462e45bc4ebee86407d7739fa6a
SHA256

e237c49f7a3930001d9163e5a013e6f8c5a11e7780ac300ae90c815ebe06c3b7
SHA512

be56c7d61823ea7569815ff7741bb94d75807e38cd6dcbe8d7a7d22efc19b8a82da4c42fbc02ea23eaf0a839935c82c56909db84b0ce20fd1ce12822892306bb
SSDEEP

12288:QGZKzvmKBKYvI8hFUoI8uUGoMRmfCISUNvXpp0gY9DLvZkRUwgeQ7viMzus0J:1KOAFUoKQWQvXps9/xkRUHeQmYus0J

Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2668	powershell.exe
2748	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 2612	2644	9ebefcd83437e578e4bb058263229340N.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ebefcd83437e578e4bb058263229340N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2612	RegSvcs.exe
2612	RegSvcs.exe
2748	powershell.exe
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	RegSvcs.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2668	2644	9ebefcd83437e578e4bb058263229340N.exe	30
PID 2644 wrote to memory of 2668	2644	9ebefcd83437e578e4bb058263229340N.exe	30
PID 2644 wrote to memory of 2668	2644	9ebefcd83437e578e4bb058263229340N.exe	30
PID 2644 wrote to memory of 2668	2644	9ebefcd83437e578e4bb058263229340N.exe	30
PID 2644 wrote to memory of 2668	2644	9ebefcd83437e578e4bb058263229340N.exe	30
PID 2644 wrote to memory of 2668	2644	9ebefcd83437e578e4bb058263229340N.exe	30
PID 2644 wrote to memory of 2668	2644	9ebefcd83437e578e4bb058263229340N.exe	30
PID 2644 wrote to memory of 2748	2644	9ebefcd83437e578e4bb058263229340N.exe	32
PID 2644 wrote to memory of 2748	2644	9ebefcd83437e578e4bb058263229340N.exe	32
PID 2644 wrote to memory of 2748	2644	9ebefcd83437e578e4bb058263229340N.exe	32
PID 2644 wrote to memory of 2748	2644	9ebefcd83437e578e4bb058263229340N.exe	32
PID 2644 wrote to memory of 2748	2644	9ebefcd83437e578e4bb058263229340N.exe	32
PID 2644 wrote to memory of 2748	2644	9ebefcd83437e578e4bb058263229340N.exe	32
PID 2644 wrote to memory of 2748	2644	9ebefcd83437e578e4bb058263229340N.exe	32
PID 2644 wrote to memory of 2752	2644	9ebefcd83437e578e4bb058263229340N.exe	33
PID 2644 wrote to memory of 2752	2644	9ebefcd83437e578e4bb058263229340N.exe	33
PID 2644 wrote to memory of 2752	2644	9ebefcd83437e578e4bb058263229340N.exe	33
PID 2644 wrote to memory of 2752	2644	9ebefcd83437e578e4bb058263229340N.exe	33
PID 2644 wrote to memory of 2752	2644	9ebefcd83437e578e4bb058263229340N.exe	33
PID 2644 wrote to memory of 2752	2644	9ebefcd83437e578e4bb058263229340N.exe	33
PID 2644 wrote to memory of 2752	2644	9ebefcd83437e578e4bb058263229340N.exe	33
PID 2644 wrote to memory of 2612	2644	9ebefcd83437e578e4bb058263229340N.exe	36
PID 2644 wrote to memory of 2612	2644	9ebefcd83437e578e4bb058263229340N.exe	36
PID 2644 wrote to memory of 2612	2644	9ebefcd83437e578e4bb058263229340N.exe	36
PID 2644 wrote to memory of 2612	2644	9ebefcd83437e578e4bb058263229340N.exe	36
PID 2644 wrote to memory of 2612	2644	9ebefcd83437e578e4bb058263229340N.exe	36
PID 2644 wrote to memory of 2612	2644	9ebefcd83437e578e4bb058263229340N.exe	36
PID 2644 wrote to memory of 2612	2644	9ebefcd83437e578e4bb058263229340N.exe	36
PID 2644 wrote to memory of 2612	2644	9ebefcd83437e578e4bb058263229340N.exe	36
PID 2644 wrote to memory of 2612	2644	9ebefcd83437e578e4bb058263229340N.exe	36
PID 2644 wrote to memory of 2612	2644	9ebefcd83437e578e4bb058263229340N.exe	36
PID 2644 wrote to memory of 2612	2644	9ebefcd83437e578e4bb058263229340N.exe	36
PID 2644 wrote to memory of 2612	2644	9ebefcd83437e578e4bb058263229340N.exe	36

C:\Users\Admin\AppData\Local\Temp\9ebefcd83437e578e4bb058263229340N.exe
"C:\Users\Admin\AppData\Local\Temp\9ebefcd83437e578e4bb058263229340N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9ebefcd83437e578e4bb058263229340N.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ejkYmVFjFKC.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ejkYmVFjFKC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2730.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2730.tmp

Filesize
1KB

MD5
518326b4eee134bbf09ecea0476324b7

SHA1
76cdc0f68154da12763c18395c8fc41632df615f

SHA256
be94046b971692ab7163e87059cd48c267f33ac1220493b85a0e22fa59d6aed1

SHA512
fea4d6153b1cf1572c01dd1c36878f45b9daf55237790a4aa7dddda4cca1313f7431ccd42d954d012fcc2a1dde5c5985aeb2f13c445ca07f1333035eb062ea0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9d1d2ce1db076f9cdd490d686a071ac8

SHA1
317e59dbfbe0c740efc050190800e33e582ecd96

SHA256
eb610f4b92bb9716e13072a81530acb4d265c29b4caf3d6a77c15c774e787fe4

SHA512
bd61ae903a4c236ae50f1470068f3d24c97be7450fff34e3a79e7ffb872b7971a068f7342b3cad2e13225b0abc36431ec799d22dcc7a525637964090b1895427

Download Submit
memory/2612-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2612-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-2-0x00000000052D0000-0x0000000005352000-memory.dmp

Filesize
520KB

Download
memory/2644-1-0x0000000000740000-0x0000000000758000-memory.dmp

Filesize
96KB

Download
memory/2644-0-0x00000000012C0000-0x00000000013B2000-memory.dmp

Filesize
968KB

Download