agenttesla | 07c65671acce67cfa5a214ce2285563f6b3eaeadd5afbcd21bcaa42a536f7ba6

Analysis

max time kernel
121s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmps1jos_w7.exe
Size

1.4MB
MD5

86e5efa7d3dce6320ffcdfc12f628cba
SHA1

d3d26c7eddb95e028c13b97f94f330e5ad5dbba4
SHA256

07c65671acce67cfa5a214ce2285563f6b3eaeadd5afbcd21bcaa42a536f7ba6
SHA512

cb5d2fa04260b9ca8b8200dfa8881d82ae7cd701822c0cb3c8df5846a6f315c60475a39dc9048094d78fc8c2be21e4df734b805ac2f205c3c67b1a1b89cd8e23
SSDEEP

24576:ivrA5SXIIYCcp3WLcndXJp80oPQZ3aO30KISlm7mgXKrqEKdCSu59m6nnjqKoe:ivOkRYCcp3ZrpBooF1Tm6g6rFKdg9rjF

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2180	powershell.exe
328	powershell.exe
2212	powershell.exe
3040	powershell.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 2548	2432	tmps1jos_w7.exe	34
PID 2548 set thread context of 344	2548	tmps1jos_w7.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmps1jos_w7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmps1jos_w7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmps1jos_w7.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2972	schtasks.exe
2768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
328	powershell.exe
2180	powershell.exe
2212	powershell.exe
3040	powershell.exe
344	tmps1jos_w7.exe
344	tmps1jos_w7.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	344	tmps1jos_w7.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2180	2432	tmps1jos_w7.exe	28
PID 2432 wrote to memory of 2180	2432	tmps1jos_w7.exe	28
PID 2432 wrote to memory of 2180	2432	tmps1jos_w7.exe	28
PID 2432 wrote to memory of 2180	2432	tmps1jos_w7.exe	28
PID 2432 wrote to memory of 328	2432	tmps1jos_w7.exe	30
PID 2432 wrote to memory of 328	2432	tmps1jos_w7.exe	30
PID 2432 wrote to memory of 328	2432	tmps1jos_w7.exe	30
PID 2432 wrote to memory of 328	2432	tmps1jos_w7.exe	30
PID 2432 wrote to memory of 2972	2432	tmps1jos_w7.exe	31
PID 2432 wrote to memory of 2972	2432	tmps1jos_w7.exe	31
PID 2432 wrote to memory of 2972	2432	tmps1jos_w7.exe	31
PID 2432 wrote to memory of 2972	2432	tmps1jos_w7.exe	31
PID 2432 wrote to memory of 2548	2432	tmps1jos_w7.exe	34
PID 2432 wrote to memory of 2548	2432	tmps1jos_w7.exe	34
PID 2432 wrote to memory of 2548	2432	tmps1jos_w7.exe	34
PID 2432 wrote to memory of 2548	2432	tmps1jos_w7.exe	34
PID 2432 wrote to memory of 2548	2432	tmps1jos_w7.exe	34
PID 2432 wrote to memory of 2548	2432	tmps1jos_w7.exe	34
PID 2432 wrote to memory of 2548	2432	tmps1jos_w7.exe	34
PID 2432 wrote to memory of 2548	2432	tmps1jos_w7.exe	34
PID 2432 wrote to memory of 2548	2432	tmps1jos_w7.exe	34
PID 2432 wrote to memory of 2548	2432	tmps1jos_w7.exe	34
PID 2432 wrote to memory of 2548	2432	tmps1jos_w7.exe	34
PID 2432 wrote to memory of 2548	2432	tmps1jos_w7.exe	34
PID 2548 wrote to memory of 2212	2548	tmps1jos_w7.exe	37
PID 2548 wrote to memory of 2212	2548	tmps1jos_w7.exe	37
PID 2548 wrote to memory of 2212	2548	tmps1jos_w7.exe	37
PID 2548 wrote to memory of 2212	2548	tmps1jos_w7.exe	37
PID 2548 wrote to memory of 3040	2548	tmps1jos_w7.exe	39
PID 2548 wrote to memory of 3040	2548	tmps1jos_w7.exe	39
PID 2548 wrote to memory of 3040	2548	tmps1jos_w7.exe	39
PID 2548 wrote to memory of 3040	2548	tmps1jos_w7.exe	39
PID 2548 wrote to memory of 2768	2548	tmps1jos_w7.exe	41
PID 2548 wrote to memory of 2768	2548	tmps1jos_w7.exe	41
PID 2548 wrote to memory of 2768	2548	tmps1jos_w7.exe	41
PID 2548 wrote to memory of 2768	2548	tmps1jos_w7.exe	41
PID 2548 wrote to memory of 344	2548	tmps1jos_w7.exe	43
PID 2548 wrote to memory of 344	2548	tmps1jos_w7.exe	43
PID 2548 wrote to memory of 344	2548	tmps1jos_w7.exe	43
PID 2548 wrote to memory of 344	2548	tmps1jos_w7.exe	43
PID 2548 wrote to memory of 344	2548	tmps1jos_w7.exe	43
PID 2548 wrote to memory of 344	2548	tmps1jos_w7.exe	43
PID 2548 wrote to memory of 344	2548	tmps1jos_w7.exe	43
PID 2548 wrote to memory of 344	2548	tmps1jos_w7.exe	43
PID 2548 wrote to memory of 344	2548	tmps1jos_w7.exe	43
PID 2548 wrote to memory of 344	2548	tmps1jos_w7.exe	43
PID 2548 wrote to memory of 344	2548	tmps1jos_w7.exe	43
PID 2548 wrote to memory of 344	2548	tmps1jos_w7.exe	43

C:\Users\Admin\AppData\Local\Temp\tmps1jos_w7.exe
"C:\Users\Admin\AppData\Local\Temp\tmps1jos_w7.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\tmps1jos_w7.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OkbpwNyH.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OkbpwNyH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC06.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2972
- C:\Users\Admin\AppData\Local\Temp\tmps1jos_w7.exe
  "C:\Users\Admin\AppData\Local\Temp\tmps1jos_w7.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\tmps1jos_w7.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wlBldyvi.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFCF5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2768
- - C:\Users\Admin\AppData\Local\Temp\tmps1jos_w7.exe
    "C:\Users\Admin\AppData\Local\Temp\tmps1jos_w7.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCC06.tmp

Filesize
1KB

MD5
6ffb859b82d71b0ed508b3c8e15d9ba3

SHA1
14f89e438a8eed94949cf642d592bcf8893cfdfd

SHA256
d7d0ae29fadfc35d3e92bd069174d7834598943b07222ca33d07f4172edb73f2

SHA512
71dec4e83826522ee4486ca0ee2b32a9866fa7263be821c3c2d045c64573edc7d9783f52c2f35e174db0c20ab78fea3161ac70ca1035f77587eef7bbc5117058

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFCF5.tmp

Filesize
1KB

MD5
1033bca53fdb823dcde7e9371f45e94a

SHA1
3abba49337edb5df2f439c49041641fdc0b1abfa

SHA256
33e192faf4faf6b13a4673257722a72f81b9efa7cb44f89765589265b4e30ae5

SHA512
7ccb7d1a482f0d1a887bcb4d769ffe88b1a928fa9c5bbe6f9e390f3805097b6106716afa9860b0f3f0c082882cf25e26710ebd225a6f430712a6a6fbbe5a3f51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZKYEI7OLGH6CW835RPNK.temp

Filesize
7KB

MD5
fb77fe8e3855613310249faeb8ea8ffb

SHA1
bc82047d2ac435d802b4f144059ab8935fe0dd33

SHA256
d41498cb1359d7aa1a4aeeb768a0c39d8ace38bcd6e2d9983bce14993f24dd9e

SHA512
03ec908394ee75d3014b41fdfd7461489d8be6bfca0c9742c2abd3a94d1c226e27b3abec468dce30a67d717d45b867385efad9d41ee44ec68ec7071f9ac523a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
65a6e15bae748ac92cb220d636b9b80c

SHA1
e99a60344b0ae20b2563862c9adaccf599776508

SHA256
e8782492d93142a2769d6dc3ea316235e1ca6168fd6937bfc41e5e810fdc2f13

SHA512
eda7eb16ddb6e89fcd266e21b31d42b031cd05b29409577a33b6becdcea1c35de37dbdbb67d4ca0033149995e9e401563bc93672b585344fc510a94e6d2457c3

Download Submit
C:\Users\Admin\AppData\Roaming\wlBldyvi.exe

Filesize
1.4MB

MD5
86e5efa7d3dce6320ffcdfc12f628cba

SHA1
d3d26c7eddb95e028c13b97f94f330e5ad5dbba4

SHA256
07c65671acce67cfa5a214ce2285563f6b3eaeadd5afbcd21bcaa42a536f7ba6

SHA512
cb5d2fa04260b9ca8b8200dfa8881d82ae7cd701822c0cb3c8df5846a6f315c60475a39dc9048094d78fc8c2be21e4df734b805ac2f205c3c67b1a1b89cd8e23

Download Submit
memory/344-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/344-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/344-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/344-59-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/344-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/344-62-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/344-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/344-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-1-0x0000000000980000-0x0000000000AEE000-memory.dmp

Filesize
1.4MB

Download
memory/2432-0-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/2432-3-0x00000000051A0000-0x00000000052CE000-memory.dmp

Filesize
1.2MB

Download
memory/2432-4-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2432-2-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2432-33-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2432-5-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/2432-6-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2432-7-0x0000000005EC0000-0x0000000005FD6000-memory.dmp

Filesize
1.1MB

Download
memory/2548-34-0x00000000008C0000-0x0000000000960000-memory.dmp

Filesize
640KB

Download
memory/2548-32-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2548-35-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2548-26-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2548-20-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2548-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2548-25-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2548-36-0x00000000056A0000-0x0000000005722000-memory.dmp

Filesize
520KB

Download
memory/2548-22-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2548-29-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2548-30-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download