agenttesla | 358c99f5f11faa788a617eae44e7d676dfbf51ba3f1cc0348f03676f7ceea8ee

Analysis

max time kernel
139s
max time network
27s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

captured_malware/P0weOPjsmVN5OCW.exe
Size

964KB
MD5

98967ce40ebd4dac5ec4c937b9c755a3
SHA1

1bfb7de1afa9ecd50945cdc5b7305b63b36c1520
SHA256

002d56a69567db513519d5b528da88133425214a569e6f758dd20ac7492374fb
SHA512

f92611d13b4943888e517fa864734b208911b729c8c471276d8a73018e1bbd0e2270095a89e6fd5a86c21d00f2242878b2cb1a581c070893684051aa5394c12d
SSDEEP

24576:rW5OadePnRlODOlZ9FME0XdgR10F33p2/:rydePnRltH/M9dg10p

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.rhsmeridian.com
Port:
587
Username:
[email protected]
Password:
BD6009BMWX5+

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

AgentTesla payload 5 IoCs

resource	yara_rule
behavioral29/memory/2144-28-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral29/memory/2144-27-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral29/memory/2144-24-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral29/memory/2144-22-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral29/memory/2144-30-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral29/memory/1892-3-0x0000000000930000-0x000000000093C000-memory.dmp	CustAttr

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2936	powershell.exe
2788	powershell.exe
2592	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1892 set thread context of 2144	1892	P0weOPjsmVN5OCW.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	P0weOPjsmVN5OCW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	P0weOPjsmVN5OCW.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1892	P0weOPjsmVN5OCW.exe
2144	P0weOPjsmVN5OCW.exe
2144	P0weOPjsmVN5OCW.exe
2788	powershell.exe
2936	powershell.exe
2592	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	P0weOPjsmVN5OCW.exe
Token: SeDebugPrivilege	2144	P0weOPjsmVN5OCW.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 2936	1892	P0weOPjsmVN5OCW.exe	31
PID 1892 wrote to memory of 2936	1892	P0weOPjsmVN5OCW.exe	31
PID 1892 wrote to memory of 2936	1892	P0weOPjsmVN5OCW.exe	31
PID 1892 wrote to memory of 2936	1892	P0weOPjsmVN5OCW.exe	31
PID 1892 wrote to memory of 2788	1892	P0weOPjsmVN5OCW.exe	33
PID 1892 wrote to memory of 2788	1892	P0weOPjsmVN5OCW.exe	33
PID 1892 wrote to memory of 2788	1892	P0weOPjsmVN5OCW.exe	33
PID 1892 wrote to memory of 2788	1892	P0weOPjsmVN5OCW.exe	33
PID 1892 wrote to memory of 3024	1892	P0weOPjsmVN5OCW.exe	35
PID 1892 wrote to memory of 3024	1892	P0weOPjsmVN5OCW.exe	35
PID 1892 wrote to memory of 3024	1892	P0weOPjsmVN5OCW.exe	35
PID 1892 wrote to memory of 3024	1892	P0weOPjsmVN5OCW.exe	35
PID 1892 wrote to memory of 2592	1892	P0weOPjsmVN5OCW.exe	37
PID 1892 wrote to memory of 2592	1892	P0weOPjsmVN5OCW.exe	37
PID 1892 wrote to memory of 2592	1892	P0weOPjsmVN5OCW.exe	37
PID 1892 wrote to memory of 2592	1892	P0weOPjsmVN5OCW.exe	37
PID 1892 wrote to memory of 2144	1892	P0weOPjsmVN5OCW.exe	39
PID 1892 wrote to memory of 2144	1892	P0weOPjsmVN5OCW.exe	39
PID 1892 wrote to memory of 2144	1892	P0weOPjsmVN5OCW.exe	39
PID 1892 wrote to memory of 2144	1892	P0weOPjsmVN5OCW.exe	39
PID 1892 wrote to memory of 2144	1892	P0weOPjsmVN5OCW.exe	39
PID 1892 wrote to memory of 2144	1892	P0weOPjsmVN5OCW.exe	39
PID 1892 wrote to memory of 2144	1892	P0weOPjsmVN5OCW.exe	39
PID 1892 wrote to memory of 2144	1892	P0weOPjsmVN5OCW.exe	39
PID 1892 wrote to memory of 2144	1892	P0weOPjsmVN5OCW.exe	39

C:\Users\Admin\AppData\Local\Temp\captured_malware\P0weOPjsmVN5OCW.exe
"C:\Users\Admin\AppData\Local\Temp\captured_malware\P0weOPjsmVN5OCW.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\captured_malware\P0weOPjsmVN5OCW.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mQltAFwXEwgbTQ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQltAFwXEwgbTQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC562.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3024
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mQltAFwXEwgbTQ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\captured_malware\P0weOPjsmVN5OCW.exe
  "C:\Users\Admin\AppData\Local\Temp\captured_malware\P0weOPjsmVN5OCW.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC562.tmp

Filesize
1KB

MD5
fd5d649c7d38991ffc7acf4c8861a65b

SHA1
8b16c009cf3804a289fb09d96764882df7c22c3b

SHA256
ee7b75ea8518d792a7d429319a8bdfaa9bb56d9d24e0d9d731ffa68159fe056c

SHA512
44d54fc45944b022cd584bab5298d07c5a0871c70bc28fea988ac6d408e55cfd4cff481a65ef35443d4b24cbd57346fa0e386e4c63fa497e2ed0149c0e3923e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8ce2ade80e73d033b2742e2eee8491ff

SHA1
9a2c7374102edaf142f0ec6c7a1aee3b981f361f

SHA256
6b6584dc4e8b373f0bd508adf2a4d4e7d47d8505681779fa09d102deaea17919

SHA512
866b3300aa42002b892fc90e77bd6b3bd69c9b4c1f3d95f7ffea0a3632a345f48340cb890691334a5c0a6f7dca861bfd62e383d121e677bc1623911747ac72c9

Download Submit
memory/1892-4-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/1892-3-0x0000000000930000-0x000000000093C000-memory.dmp

Filesize
48KB

Download
memory/1892-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/1892-5-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1892-6-0x0000000005210000-0x00000000052C8000-memory.dmp

Filesize
736KB

Download
memory/1892-7-0x00000000052D0000-0x000000000534A000-memory.dmp

Filesize
488KB

Download
memory/1892-2-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1892-1-0x0000000001150000-0x0000000001248000-memory.dmp

Filesize
992KB

Download
memory/1892-32-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2144-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2144-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2144-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2144-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2144-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2144-30-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2144-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2144-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download