agenttesla | e0a3b97566feb5eae0ee4e68c62b909491458321b6b89abaf62d1413a8ff4535

General

Target

Swift.exe
Size

687KB
MD5

fe00001d0db956e36c44daf67d62bab6
SHA1

64f6a10011a7a0abbec380ccbf7a14b0d6f9d3fe
SHA256

e0a3b97566feb5eae0ee4e68c62b909491458321b6b89abaf62d1413a8ff4535
SHA512

8b42838ef1fe9eb1d758e292742e9fe273a54a07a4a6cecd77468a931ebb79bb280a47ac6a45164b4a3f2be21de1073e5f8734202a8e32eeb226539715423dfc
SSDEEP

12288:SfCVmyE2ov9tg9M2SQEpGExrCwKEE5KrdYc8LzeGqI6c1BLy0CxLlIL1VeiewNON:dmn2ojg93zEpHrCwKwdYc8Jl1BpCxCI1

Score

10^/10

agenttesla credential_access discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bonnyriggdentalsurgery.com.au
Port:
587
Username:
[email protected]
Password:
Sages101*
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2860	powershell.exe
2736	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVCcTv = "C:\\Users\\Admin\\AppData\\Roaming\\YVCcTv\\YVCcTv.exe"	RegSvcs.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
6	ip-api.com
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 2744	2592	Swift.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Swift.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2736	powershell.exe
2860	powershell.exe
2744	RegSvcs.exe
2744	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2744	RegSvcs.exe
Token: SeDebugPrivilege	2860	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2860	2592	Swift.exe	31
PID 2592 wrote to memory of 2860	2592	Swift.exe	31
PID 2592 wrote to memory of 2860	2592	Swift.exe	31
PID 2592 wrote to memory of 2860	2592	Swift.exe	31
PID 2592 wrote to memory of 2736	2592	Swift.exe	33
PID 2592 wrote to memory of 2736	2592	Swift.exe	33
PID 2592 wrote to memory of 2736	2592	Swift.exe	33
PID 2592 wrote to memory of 2736	2592	Swift.exe	33
PID 2592 wrote to memory of 2832	2592	Swift.exe	35
PID 2592 wrote to memory of 2832	2592	Swift.exe	35
PID 2592 wrote to memory of 2832	2592	Swift.exe	35
PID 2592 wrote to memory of 2832	2592	Swift.exe	35
PID 2592 wrote to memory of 2744	2592	Swift.exe	37
PID 2592 wrote to memory of 2744	2592	Swift.exe	37
PID 2592 wrote to memory of 2744	2592	Swift.exe	37
PID 2592 wrote to memory of 2744	2592	Swift.exe	37
PID 2592 wrote to memory of 2744	2592	Swift.exe	37
PID 2592 wrote to memory of 2744	2592	Swift.exe	37
PID 2592 wrote to memory of 2744	2592	Swift.exe	37
PID 2592 wrote to memory of 2744	2592	Swift.exe	37
PID 2592 wrote to memory of 2744	2592	Swift.exe	37
PID 2592 wrote to memory of 2744	2592	Swift.exe	37
PID 2592 wrote to memory of 2744	2592	Swift.exe	37
PID 2592 wrote to memory of 2744	2592	Swift.exe	37

C:\Users\Admin\AppData\Local\Temp\Swift.exe
"C:\Users\Admin\AppData\Local\Temp\Swift.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Swift.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rLUWoglBodaOvF.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rLUWoglBodaOvF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp66DE.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp66DE.tmp

Filesize
1KB

MD5
364b35050b4f25cfd6a21270bbeb0ea9

SHA1
65f2fcbc4a6ace600f22d32491630caa3ab0658d

SHA256
43f2527a5ad72f71817bee328a5e661b8aa2785105ba0e7f4699277d11f741a2

SHA512
4fac012ef80562b7da72321d14ab695008a557584b4e060b26d1d51dd4e0dca42f77ed0ce358089f97f8f59538de90a8ad4e4deca5764e9cada36c958333232a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
05e4cbd2874a2850a23232dc6adaaa77

SHA1
e8916caf042fbd0cbaacd48a1fee042f659a8036

SHA256
82eb4e1c256c824d7ae5caec0cbde21436601ce13a518e44d2a9390100c8e8a5

SHA512
4dcdb37a6ca1dd48fad4b59d1962f639ca12c945eba2f8631af533da71e29f30edccc8023066f289b6b043ac132d5e46be25d92770325450502aa3f795247391

Download Submit
memory/2592-5-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-33-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-4-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/2592-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/2592-6-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2592-7-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/2592-8-0x0000000004E40000-0x0000000004EC4000-memory.dmp

Filesize
528KB

Download
memory/2592-2-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-1-0x0000000000260000-0x000000000030C000-memory.dmp

Filesize
688KB

Download
memory/2592-3-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/2744-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2744-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2744-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2744-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2744-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2744-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2744-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads