agenttesla | 4f3c0de5a08e918050382a42c6109fda68cc8167664065ebd98c73d761fde3f3

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA pdf.exe
Size

717KB
MD5

0e928f8ca2a45826211c1e02c9ae09f8
SHA1

502ba9469f174b8ae062278be8ca847616d4e0f8
SHA256

3c4a6a16a5d8679e83400b100265e0513f5993e513d5f17c875976b09cd1bf25
SHA512

1ae4d75d15026e3277b42918756b1bc7a91960811136af4672ca48c9b943279b4ff22be4382275629693ae9f17b0c3e95ac1ade95c5bf167086015478aca4ca4
SSDEEP

12288:I3qyJMM/F1KswrqeiQgLI/VvH8WX1wMVeARbNPnN9jXBOQS6XczZLK4I7ukDkR:I6ON1KAYVvH8inwARbNPNNX3VMBK41kW

Score

10^/10

agenttesla execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.tajhiz-gostaran.com
Port:
587
Username:
[email protected]
Password:
Ohv@dRNG{N^grViQHl
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4728 powershell.exe
4632 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

SOA pdf.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation SOA pdf.exe

pid	process
4728	powershell.exe
4632	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	SOA pdf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SOA pdf.exe

description pid process target process

PID 1000 set thread context of 540 1000 SOA pdf.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1448 schtasks.exe

description	pid	process	target process
PID 1000 set thread context of 540	1000	SOA pdf.exe	RegSvcs.exe

pid	process
1448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

SOA pdf.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
1000	SOA pdf.exe
1000	SOA pdf.exe
1000	SOA pdf.exe
1000	SOA pdf.exe
1000	SOA pdf.exe
1000	SOA pdf.exe
4728	powershell.exe
4632	powershell.exe
4632	powershell.exe
1000	SOA pdf.exe
1000	SOA pdf.exe
1000	SOA pdf.exe
1000	SOA pdf.exe
1000	SOA pdf.exe
1000	SOA pdf.exe
540	RegSvcs.exe
540	RegSvcs.exe
4632	powershell.exe
4728	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SOA pdf.exepowershell.exepowershell.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1000 SOA pdf.exe
Token: SeDebugPrivilege 4728 powershell.exe
Token: SeDebugPrivilege 4632 powershell.exe
Token: SeDebugPrivilege 540 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1000	SOA pdf.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	540	RegSvcs.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

SOA pdf.exe

description	pid	process	target process
PID 1000 wrote to memory of 4728	1000	SOA pdf.exe	powershell.exe
PID 1000 wrote to memory of 4728	1000	SOA pdf.exe	powershell.exe
PID 1000 wrote to memory of 4728	1000	SOA pdf.exe	powershell.exe
PID 1000 wrote to memory of 4632	1000	SOA pdf.exe	powershell.exe
PID 1000 wrote to memory of 4632	1000	SOA pdf.exe	powershell.exe
PID 1000 wrote to memory of 4632	1000	SOA pdf.exe	powershell.exe
PID 1000 wrote to memory of 1448	1000	SOA pdf.exe	schtasks.exe
PID 1000 wrote to memory of 1448	1000	SOA pdf.exe	schtasks.exe
PID 1000 wrote to memory of 1448	1000	SOA pdf.exe	schtasks.exe
PID 1000 wrote to memory of 2824	1000	SOA pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 2824	1000	SOA pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 2824	1000	SOA pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 3580	1000	SOA pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 3580	1000	SOA pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 3580	1000	SOA pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 540	1000	SOA pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 540	1000	SOA pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 540	1000	SOA pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 540	1000	SOA pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 540	1000	SOA pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 540	1000	SOA pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 540	1000	SOA pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 540	1000	SOA pdf.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SOA pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SOA pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOA pdf.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TbRQjVqQYK.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TbRQjVqQYK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
92c2d7bd6c85fd091a96450740d2f65c

SHA1
d510f2accff6d316717e419be1c40aed6978cb54

SHA256
ef39f7ee5d46ba725cb773a007f827d005c5cd24fe6fcfed0cf6986d8979e090

SHA512
2ae39093412bba21e23c793162f3761673f642858148cce7483a11e05ea196748f918337fdd57907c2012f908a2f8b032a87350962f5d37b90f1d64fbd5eff9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_caciwmrl.vrj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp
Filesize
1KB

MD5
9f356f7fab59c85b03dd85aa6cf29728

SHA1
b3c025ac73e272e9e5b256d97a2ada2c5907e054

SHA256
06d0cae24578087156e3f9f69c2e2b0187db69dccd2b6c9f07ef63117a0455a3

SHA512
42031bd55711811053e29c1928f44e0e684b3751ce0efbb3a83050def071af01a809f2c8ef927538f887fdda158839f62a49b44eb596140eff6bb455c268cd6f

Download Submit
memory/540-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/540-82-0x00000000068B0000-0x0000000006900000-memory.dmp

Filesize
320KB

Download
memory/1000-5-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/1000-50-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/1000-8-0x0000000005E40000-0x0000000005E50000-memory.dmp

Filesize
64KB

Download
memory/1000-9-0x0000000006E70000-0x0000000006EF2000-memory.dmp

Filesize
520KB

Download
memory/1000-10-0x000000000ABD0000-0x000000000AC6C000-memory.dmp

Filesize
624KB

Download
memory/1000-0-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/1000-16-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/1000-7-0x0000000005E20000-0x0000000005E2E000-memory.dmp

Filesize
56KB

Download
memory/1000-6-0x0000000005CF0000-0x0000000005D06000-memory.dmp

Filesize
88KB

Download
memory/1000-32-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/1000-4-0x00000000059E0000-0x00000000059EA000-memory.dmp

Filesize
40KB

Download
memory/1000-3-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/1000-2-0x0000000005F40000-0x00000000064E4000-memory.dmp

Filesize
5.6MB

Download
memory/1000-1-0x0000000000F30000-0x0000000000FE4000-memory.dmp

Filesize
720KB

Download
memory/4632-85-0x00000000072A0000-0x00000000072BA000-memory.dmp

Filesize
104KB

Download
memory/4632-84-0x00000000071A0000-0x00000000071B4000-memory.dmp

Filesize
80KB

Download
memory/4632-39-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4632-21-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4632-83-0x0000000007190000-0x000000000719E000-memory.dmp

Filesize
56KB

Download
memory/4632-67-0x00000000750B0000-0x00000000750FC000-memory.dmp

Filesize
304KB

Download
memory/4632-92-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4632-23-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4632-79-0x0000000006FD0000-0x0000000006FDA000-memory.dmp

Filesize
40KB

Download
memory/4632-52-0x00000000060C0000-0x000000000610C000-memory.dmp

Filesize
304KB

Download
memory/4632-51-0x0000000005C40000-0x0000000005C5E000-memory.dmp

Filesize
120KB

Download
memory/4632-77-0x0000000007600000-0x0000000007C7A000-memory.dmp

Filesize
6.5MB

Download
memory/4632-78-0x0000000006D50000-0x0000000006D6A000-memory.dmp

Filesize
104KB

Download
memory/4728-15-0x0000000002D40000-0x0000000002D76000-memory.dmp

Filesize
216KB

Download
memory/4728-66-0x0000000007600000-0x00000000076A3000-memory.dmp

Filesize
652KB

Download
memory/4728-55-0x00000000750B0000-0x00000000750FC000-memory.dmp

Filesize
304KB

Download
memory/4728-65-0x0000000007590000-0x00000000075AE000-memory.dmp

Filesize
120KB

Download
memory/4728-54-0x00000000075B0000-0x00000000075E2000-memory.dmp

Filesize
200KB

Download
memory/4728-22-0x0000000005EB0000-0x0000000005ED2000-memory.dmp

Filesize
136KB

Download
memory/4728-80-0x0000000007BE0000-0x0000000007C76000-memory.dmp

Filesize
600KB

Download
memory/4728-81-0x0000000007B60000-0x0000000007B71000-memory.dmp

Filesize
68KB

Download
memory/4728-24-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/4728-25-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/4728-38-0x0000000006030000-0x0000000006384000-memory.dmp

Filesize
3.3MB

Download
memory/4728-20-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4728-86-0x0000000007C80000-0x0000000007C88000-memory.dmp

Filesize
32KB

Download
memory/4728-19-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4728-18-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4728-17-0x0000000005880000-0x0000000005EA8000-memory.dmp

Filesize
6.2MB

Download
memory/4728-93-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download