agenttesla | eddebeaf37033efffcbecd52bcf529a006fc0cebbe3f347a83cec7854e7df4d0

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ref Cheque 705059.vbe
Size

10KB
MD5

90d3ad68895627841ba7ac18079fc0b1
SHA1

a00920b635b500f67983ab4bed25a38df9bd5549
SHA256

ca4d0af48b50bd06f172eee41fb979e2d73defb5c51fd358bc6b36de4cab7369
SHA512

8e3d459a1d11cadfc336c364918c97ecf0004418afb890bd3b36e9139d30bfe956266f2e87e29e2e5df46b01e94c1bc64b9964b3a556ad64f6a5b2a8afb493b6
SSDEEP

192:xXNM3lLrcABBqcDsPdSuXZlzrZ7gmUWoZl5FYleLMl/1uw5YOAxJhHFK:xNElLAAKjBLf1UWobElwMl/mHHs

Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
162.254.34.31
Port:
587
Username:
[email protected]
Password:
M992uew1mw6Z
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	4452	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
96	api.ipify.org
95	api.ipify.org

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4556 set thread context of 2904	4556	powershell.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3296	WINWORD.EXE
3296	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4556	powershell.exe
4556	powershell.exe
3712	powershell.exe
3712	powershell.exe
4556	powershell.exe
2904	MSBuild.exe
2904	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	2904	MSBuild.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3296	WINWORD.EXE
3296	WINWORD.EXE
3296	WINWORD.EXE
3296	WINWORD.EXE
3296	WINWORD.EXE
3296	WINWORD.EXE
3296	WINWORD.EXE
3296	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 4556	640	WScript.exe	92
PID 640 wrote to memory of 4556	640	WScript.exe	92
PID 640 wrote to memory of 3712	640	WScript.exe	99
PID 640 wrote to memory of 3712	640	WScript.exe	99
PID 4556 wrote to memory of 2904	4556	powershell.exe	101
PID 4556 wrote to memory of 2904	4556	powershell.exe	101
PID 4556 wrote to memory of 2904	4556	powershell.exe	101
PID 4556 wrote to memory of 2904	4556	powershell.exe	101
PID 4556 wrote to memory of 2904	4556	powershell.exe	101
PID 4556 wrote to memory of 2904	4556	powershell.exe	101
PID 4556 wrote to memory of 2904	4556	powershell.exe	101
PID 4556 wrote to memory of 2904	4556	powershell.exe	101
PID 3712 wrote to memory of 4540	3712	powershell.exe	103
PID 3712 wrote to memory of 4540	3712	powershell.exe	103
PID 4556 wrote to memory of 4864	4556	powershell.exe	102
PID 4556 wrote to memory of 4864	4556	powershell.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ref Cheque 705059.vbe"
1⤵
- Blocklisted process makes network request
PID:4452

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\FRMEMFMdrhTBazq.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4556" "2792" "2732" "2796" "0" "0" "2800" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4864
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3712" "2752" "2684" "2756" "0" "0" "2760" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4540

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SetTest.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA222.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x1l1zhkt.yyx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\FRMEMFMdrhTBazq.vbs

Filesize
2KB

MD5
e26532ee5fd577e459897da6e2d1fd35

SHA1
fd22513992dd197796bdd70a15d0e91fedcc230c

SHA256
e5441fd6bf5a366d4144553a3caf44ed09d6fb7cb085de728579c556def1e329

SHA512
c44fe8cd1c9d0f3727d15a08cb288fec1593deecc2bee5bde9a00c7f8d241f014c0a539ae6c1c0c05e2243d81046855f62a19633f6b17d238303e475271055b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
200B

MD5
2a26efdc132fece284eb35e15f0212df

SHA1
0e7e6d00f2cdaa7cfef012daeedae29b2e9e908e

SHA256
8ff682431977c338655bb2aad1dd7821aa60936643a91fef89886716fdd23dfd

SHA512
e65bf1c3770c0e18b9f671507876fd75631f02d002fab5692c08ad193ffa7cd2186ed0f6911185dc3e09e409c92f26649e337d1da4e90894ceaa2a694e40d50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c5f3684244d1620707a98c8e1ef5df58

SHA1
1a6ff11d35a53ecbe5dba25ab8f46ee5b6800582

SHA256
0497e4a571e3f6c687bc07bdfe841142ed1c654e40bc2153a3a4ae76647de80b

SHA512
9579085b0a19f6422568078483b3d0d650030c48ab59080dcdb3454c3b28360fee579002f52217916da8dafc3628b7799388fd052338e53a274df13ec0c2c9be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
399d356f831f328b765e3a1485ada7d1

SHA1
56812543d6ed9f4ba6e4293454e9ee14bad5f152

SHA256
0e97b134fb5f27af496b59e77783f55f3b16028b2143f987dbeb980485cd7907

SHA512
d0e1a83bfb975753488c13918a07abba0e4e838fd20a739084d0b76c2e99c56614632411a3d6068e11c495f67773ddd8f2d266af80d4f89bb82b6d279158982c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
ab9480cafb812b30933de8cf9e6f8324

SHA1
5cc0d906b05b107056ad2c11f6f832109e7c8108

SHA256
c53de08c5404feb28c68e16e1b911020d12a63c2ee3591ea4aff57c35d97261f

SHA512
f28040c31bdd47f6d0448aa702d6180b223fd2c72f29e5d7506bd8b0420db9fabdcb3b470e1247555d98b6c855e20f05638f4016f34968044a20eafb87f0da4b

Download Submit
memory/2904-585-0x0000000006E00000-0x0000000006E0A000-memory.dmp

Filesize
40KB

Download
memory/2904-501-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/2904-583-0x0000000006D90000-0x0000000006DE0000-memory.dmp

Filesize
320KB

Download
memory/2904-491-0x0000000005E90000-0x0000000006434000-memory.dmp

Filesize
5.6MB

Download
memory/2904-86-0x0000000001200000-0x0000000001240000-memory.dmp

Filesize
256KB

Download
memory/2904-584-0x0000000006E80000-0x0000000006F12000-memory.dmp

Filesize
584KB

Download
memory/3296-19-0x00007FF7C2F50000-0x00007FF7C2F60000-memory.dmp

Filesize
64KB

Download
memory/3296-16-0x00007FF7C2F50000-0x00007FF7C2F60000-memory.dmp

Filesize
64KB

Download
memory/3296-21-0x00007FF7C0BB0000-0x00007FF7C0BC0000-memory.dmp

Filesize
64KB

Download
memory/3296-17-0x00007FF7C2F50000-0x00007FF7C2F60000-memory.dmp

Filesize
64KB

Download
memory/3296-18-0x00007FF7C2F50000-0x00007FF7C2F60000-memory.dmp

Filesize
64KB

Download
memory/3296-20-0x00007FF7C2F50000-0x00007FF7C2F60000-memory.dmp

Filesize
64KB

Download
memory/3296-22-0x00007FF7C0BB0000-0x00007FF7C0BC0000-memory.dmp

Filesize
64KB

Download
memory/4556-84-0x0000018558360000-0x000001855836A000-memory.dmp

Filesize
40KB

Download
memory/4556-4-0x00000185729E0000-0x0000018572A02000-memory.dmp

Filesize
136KB

Download
memory/4556-14-0x0000018572E50000-0x0000018572E94000-memory.dmp

Filesize
272KB

Download
memory/4556-85-0x0000018558370000-0x000001855837A000-memory.dmp

Filesize
40KB

Download
memory/4556-15-0x0000018572F20000-0x0000018572F96000-memory.dmp

Filesize
472KB

Download