agenttesla | 69a6d16e563e335bad162c6750c0ce1807bb96ce12e54bc43af19f6458a0a791

Analysis

max time kernel
94s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dollar1.ps1
Size

510KB
MD5

c42d82bfd897477aad6221016be9d6fa
SHA1

af3505c7bda32a32cff69f3afc4c676856d377cc
SHA256

1308763f21e50778f78dd3fd05b61367341cb52c7ca1b411a0d18610b20c9ede
SHA512

f1262f4c95aa5a853ce1f4d1d069c76d6f438c9ba2839cf093472531002c7886a619252be1769d5ebd725e35224e3c2f50bc8ade603ba98216b7ca508894083e
SSDEEP

6144:BHJz/Da4narEcyu0c2slSDp6SGxQ9KH+d2QSQ9OSk/RZSht5C5q+Zbe6gy/3be+c:BHhan0cx2ho4

Score

10^/10

agenttesla collection credential_access discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://78.138.105.142/
Port:
21
Username:
dollar
Password:
Samsaghir786

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	1036	Powershell.exe	89

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4148 set thread context of 4380	4148	powershell.exe	105

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
212	powershell.exe
2880	powershell.exe
4044	Powershell.exe
4148	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
212	powershell.exe
212	powershell.exe
2880	powershell.exe
2880	powershell.exe
4044	Powershell.exe
4044	Powershell.exe
4148	powershell.exe
4148	powershell.exe
4380	jsc.exe
4380	jsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeIncreaseQuotaPrivilege	2880	powershell.exe
Token: SeSecurityPrivilege	2880	powershell.exe
Token: SeTakeOwnershipPrivilege	2880	powershell.exe
Token: SeLoadDriverPrivilege	2880	powershell.exe
Token: SeSystemProfilePrivilege	2880	powershell.exe
Token: SeSystemtimePrivilege	2880	powershell.exe
Token: SeProfSingleProcessPrivilege	2880	powershell.exe
Token: SeIncBasePriorityPrivilege	2880	powershell.exe
Token: SeCreatePagefilePrivilege	2880	powershell.exe
Token: SeBackupPrivilege	2880	powershell.exe
Token: SeRestorePrivilege	2880	powershell.exe
Token: SeShutdownPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeSystemEnvironmentPrivilege	2880	powershell.exe
Token: SeRemoteShutdownPrivilege	2880	powershell.exe
Token: SeUndockPrivilege	2880	powershell.exe
Token: SeManageVolumePrivilege	2880	powershell.exe
Token: 33	2880	powershell.exe
Token: 34	2880	powershell.exe
Token: 35	2880	powershell.exe
Token: 36	2880	powershell.exe
Token: SeDebugPrivilege	4044	Powershell.exe
Token: SeIncreaseQuotaPrivilege	2880	powershell.exe
Token: SeSecurityPrivilege	2880	powershell.exe
Token: SeTakeOwnershipPrivilege	2880	powershell.exe
Token: SeLoadDriverPrivilege	2880	powershell.exe
Token: SeSystemProfilePrivilege	2880	powershell.exe
Token: SeSystemtimePrivilege	2880	powershell.exe
Token: SeProfSingleProcessPrivilege	2880	powershell.exe
Token: SeIncBasePriorityPrivilege	2880	powershell.exe
Token: SeCreatePagefilePrivilege	2880	powershell.exe
Token: SeBackupPrivilege	2880	powershell.exe
Token: SeRestorePrivilege	2880	powershell.exe
Token: SeShutdownPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeSystemEnvironmentPrivilege	2880	powershell.exe
Token: SeRemoteShutdownPrivilege	2880	powershell.exe
Token: SeUndockPrivilege	2880	powershell.exe
Token: SeManageVolumePrivilege	2880	powershell.exe
Token: 33	2880	powershell.exe
Token: 34	2880	powershell.exe
Token: 35	2880	powershell.exe
Token: 36	2880	powershell.exe
Token: SeIncreaseQuotaPrivilege	2880	powershell.exe
Token: SeSecurityPrivilege	2880	powershell.exe
Token: SeTakeOwnershipPrivilege	2880	powershell.exe
Token: SeLoadDriverPrivilege	2880	powershell.exe
Token: SeSystemProfilePrivilege	2880	powershell.exe
Token: SeSystemtimePrivilege	2880	powershell.exe
Token: SeProfSingleProcessPrivilege	2880	powershell.exe
Token: SeIncBasePriorityPrivilege	2880	powershell.exe
Token: SeCreatePagefilePrivilege	2880	powershell.exe
Token: SeBackupPrivilege	2880	powershell.exe
Token: SeRestorePrivilege	2880	powershell.exe
Token: SeShutdownPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeSystemEnvironmentPrivilege	2880	powershell.exe
Token: SeRemoteShutdownPrivilege	2880	powershell.exe
Token: SeUndockPrivilege	2880	powershell.exe
Token: SeManageVolumePrivilege	2880	powershell.exe
Token: 33	2880	powershell.exe
Token: 34	2880	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2880	212	powershell.exe	98
PID 212 wrote to memory of 2880	212	powershell.exe	98
PID 2880 wrote to memory of 2416	2880	powershell.exe	99
PID 2880 wrote to memory of 2416	2880	powershell.exe	99
PID 4044 wrote to memory of 4676	4044	Powershell.exe	103
PID 4044 wrote to memory of 4676	4044	Powershell.exe	103
PID 4676 wrote to memory of 4148	4676	cmd.exe	104
PID 4676 wrote to memory of 4148	4676	cmd.exe	104
PID 4148 wrote to memory of 4380	4148	powershell.exe	105
PID 4148 wrote to memory of 4380	4148	powershell.exe	105
PID 4148 wrote to memory of 4380	4148	powershell.exe	105
PID 4148 wrote to memory of 4380	4148	powershell.exe	105
PID 4148 wrote to memory of 4380	4148	powershell.exe	105
PID 4148 wrote to memory of 4380	4148	powershell.exe	105
PID 4148 wrote to memory of 4380	4148	powershell.exe	105
PID 4148 wrote to memory of 4380	4148	powershell.exe	105

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dollar1.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.ps1'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.vbs"
    3⤵
    PID:2416

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.bat
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\IHPWKPEVZAFOKFTDEAQASA.ps1'"
    3⤵
    - Suspicious use of SetThreadContext
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      outlook_office_path
      outlook_win_path
      PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.bat

Filesize
127B

MD5
267f90e0cee8f697121c7d2fb4adac39

SHA1
1a981c00e56ac26056f82265b121b8b79b518e94

SHA256
bfb6e3e481da85711794dffffeb8e8d73b34654c79d5eb979d0efa5759f72b7a

SHA512
106b386734ed981bf97fcd2fa1d69b455a3aca8e8916624db38b46ebc000b87d4c45db53d35d7c6797232e92cf9c115a441286bc8f408aafe293beba18800661

Download Submit
C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.ps1

Filesize
457B

MD5
519c80883e516f37113d65dd84a57b10

SHA1
50ba890d7389a025cbfce10f4a48f9f43fbf0f91

SHA256
afc98de9a030e5b9514854f86192cefef755f763f67018e98763e06c920dac20

SHA512
8caebf146421fbe1180384df8a5ff9162aee9c53672b219d5a87804aab8c9713eea7fca2b9b6b139346d0e21b459b89b274aab256d69550d9b858270616f49fc

Download Submit
C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.vbs

Filesize
3KB

MD5
3cfc71a284fb40178c610cbd49c5129d

SHA1
009788dfe6bc036b6b5bae079bdcbbdd1f12392f

SHA256
5138b8936ea8ce93eb71ad432c42d8699e50b45e3c8003229dff3e35e1dd350e

SHA512
f3cf1cf63ba7d885f936bd357be98a076dbd3f5b13f830e3b227c37619847333c541287ca9194ff64bdbe5f64106d4fb55fc68a7e1ce4bf48bc33ff0c22cea4e

Download Submit
C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\IHPWKPEVZAFOKFTDEAQASA.ps1

Filesize
501KB

MD5
62e4f84a9a51323b88c640342769d9af

SHA1
45c0d492749726d2795d61f4ba695acf9e2d5a52

SHA256
4a95dfbc8f5c0d0bfd89196601aac0022cf40660133482644b3a3cecb58c8c8c

SHA512
0d8009daa875de4be4fddbf2cd79813572db6b72d5333bdc0173e1597871fce1f5a695ec3d094d7db4c682072f526677131fdf8205e6a969bb2662fafd03de9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fee026663fcb662152188784794028ee

SHA1
3c02a26a9cb16648fad85c6477b68ced3cb0cb45

SHA256
dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

SHA512
7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71444def27770d9071039d005d0323b7

SHA1
cef8654e95495786ac9347494f4417819373427e

SHA256
8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

SHA512
a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36fea3c7bd7bf5f15ee1a748daae1f24

SHA1
c5e0122744a61d18b64126bf35374e29ecfe7553

SHA256
bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4

SHA512
6ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u0jkeafz.pcc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/212-1-0x0000018E605E0000-0x0000018E60602000-memory.dmp

Filesize
136KB

Download
memory/212-0-0x00007FF94BB43000-0x00007FF94BB45000-memory.dmp

Filesize
8KB

Download
memory/212-16-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/212-15-0x00007FF94BB43000-0x00007FF94BB45000-memory.dmp

Filesize
8KB

Download
memory/212-12-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/212-61-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/212-11-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/2880-28-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/2880-30-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/2880-57-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/2880-32-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/4148-62-0x00000238255A0000-0x00000238255B0000-memory.dmp

Filesize
64KB

Download
memory/4148-63-0x000002383FA60000-0x000002383FA7A000-memory.dmp

Filesize
104KB

Download
memory/4380-69-0x0000000001120000-0x000000000115A000-memory.dmp

Filesize
232KB

Download
memory/4380-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4380-70-0x0000000005C70000-0x0000000006214000-memory.dmp

Filesize
5.6MB

Download
memory/4380-71-0x0000000005840000-0x00000000058DC000-memory.dmp

Filesize
624KB

Download
memory/4380-72-0x0000000005BB0000-0x0000000005BC8000-memory.dmp

Filesize
96KB

Download
memory/4380-73-0x0000000006560000-0x00000000065C6000-memory.dmp

Filesize
408KB

Download
memory/4380-74-0x0000000006C40000-0x0000000006C90000-memory.dmp

Filesize
320KB

Download
memory/4380-75-0x00000000073A0000-0x0000000007432000-memory.dmp

Filesize
584KB

Download
memory/4380-79-0x0000000007370000-0x000000000737A000-memory.dmp

Filesize
40KB

Download