agenttesla | 336c8f08437e02813b6f5c4a9e61f6b22f93fb28b014532dfe48b5a1707f6cce

General

Target

offer Order And Shipping Details.exe
Size

973KB
MD5

e541ccd346efda9a73ca77705c0f593b
SHA1

e7b586668604ad4db47455bf0fff086aeb0cad60
SHA256

336c8f08437e02813b6f5c4a9e61f6b22f93fb28b014532dfe48b5a1707f6cce
SHA512

a93b96a24188a2644e48df906f4e9780eb22bc13ecab7722dfb50a8a1c47ace547b34fd8ff1388c7dff99f1675c434da434c22c90ae5fcc90d37d59d0adf9134

Score

10^/10

agenttesla nanocore collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.thts.vn
Port:
587
Username:
[email protected]
Password:
123luongngan1989

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/632-65-0x0000000000210000-0x0000000000854000-memory.dmp	family_agenttesla
behavioral1/memory/632-66-0x0000000000246A2E-mapping.dmp	family_agenttesla
behavioral1/memory/632-67-0x0000000000210000-0x0000000000854000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

Processes:

mvrjfdln.pif

pid process

1108 mvrjfdln.pif

pid	process
1108	mvrjfdln.pif

Loads dropped DLL 4 IoCs

Processes:

offer Order And Shipping Details.exe

pid	process
1128	offer Order And Shipping Details.exe
1128	offer Order And Shipping Details.exe
1128	offer Order And Shipping Details.exe
1128	offer Order And Shipping Details.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mvrjfdln.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	mvrjfdln.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\37934803\\mvrjfdln.pif C:\\Users\\Admin\\37934803\\ihuaoe.uqp"	mvrjfdln.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

mvrjfdln.pif

description pid process target process

PID 1108 set thread context of 632 1108 mvrjfdln.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegSvcs.exe

pid process

632 RegSvcs.exe
632 RegSvcs.exe
632 RegSvcs.exe
632 RegSvcs.exe
632 RegSvcs.exe
632 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 632 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

632 RegSvcs.exe

description	pid	process	target process
PID 1108 set thread context of 632	1108	mvrjfdln.pif	RegSvcs.exe

pid	process
632	RegSvcs.exe
632	RegSvcs.exe
632	RegSvcs.exe
632	RegSvcs.exe
632	RegSvcs.exe
632	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	632	RegSvcs.exe

pid	process
632	RegSvcs.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

offer Order And Shipping Details.exemvrjfdln.pif

description	pid	process	target process
PID 1128 wrote to memory of 1108	1128	offer Order And Shipping Details.exe	mvrjfdln.pif
PID 1128 wrote to memory of 1108	1128	offer Order And Shipping Details.exe	mvrjfdln.pif
PID 1128 wrote to memory of 1108	1128	offer Order And Shipping Details.exe	mvrjfdln.pif
PID 1128 wrote to memory of 1108	1128	offer Order And Shipping Details.exe	mvrjfdln.pif
PID 1108 wrote to memory of 632	1108	mvrjfdln.pif	RegSvcs.exe
PID 1108 wrote to memory of 632	1108	mvrjfdln.pif	RegSvcs.exe
PID 1108 wrote to memory of 632	1108	mvrjfdln.pif	RegSvcs.exe
PID 1108 wrote to memory of 632	1108	mvrjfdln.pif	RegSvcs.exe
PID 1108 wrote to memory of 632	1108	mvrjfdln.pif	RegSvcs.exe
PID 1108 wrote to memory of 632	1108	mvrjfdln.pif	RegSvcs.exe
PID 1108 wrote to memory of 632	1108	mvrjfdln.pif	RegSvcs.exe
PID 1108 wrote to memory of 632	1108	mvrjfdln.pif	RegSvcs.exe
PID 1108 wrote to memory of 632	1108	mvrjfdln.pif	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\offer Order And Shipping Details.exe
"C:\Users\Admin\AppData\Local\Temp\offer Order And Shipping Details.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\37934803\mvrjfdln.pif
"C:\Users\Admin\37934803\mvrjfdln.pif" ihuaoe.uqp
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:632

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\37934803\digxa.docx
MD5
45be95822e185a068b08546b4318db70

SHA1
7ec0747159a07f3ae319a97b04b516cb707c63e3

SHA256
76982e3df1559ff6d4d75424b072bf5d1e4687b55060db0c43b59513807d9d62

SHA512
95422c42c375d184d834d82bd4ab08a6b12ee4c2e19cf89d33bb3a8e8b96517d09f02dcccc7c37cb4025bb84dca3b1bba037d3c5b317f4b51e48737f0be9b7f3

Download Submit
C:\Users\Admin\37934803\gwbpq.ner
MD5
6dd637838270f9f81e5bbad2cabdc1f5

SHA1
65468a684f5ea5f428fffdd6f6b188e4a616f1c7

SHA256
ec068aa46b1d61290af614f355324bc03ea57976af3a85b90d68fe3eefd412f8

SHA512
09b96eab0cd7d12c9cfb7eae0b7b19c0c7ae36208ea1554f484438223280634a54ae07fac1b411d2df18499e4a377bdb319059edf223c44153b13fe328e0b814

Download Submit
C:\Users\Admin\37934803\ihuaoe.uqp
MD5
7af3c2fe0522abd3fea696930e3ff740

SHA1
8c6364ccea6503e709f8504a80f1f5a7fca5655b

SHA256
9f06a9550ab18438576095dea0a77ce022577d2cec042277328bec1fd50d319b

SHA512
93d273391e308e63ea9c5185ae7cf0cbf65167ec2c33b8ff07be5530bff4ba54c2cbaef5a936f7616f6d8d249c77c91ca19bb80ecaf0abbdabb558180a63aac3

Download Submit
C:\Users\Admin\37934803\mvrjfdln.pif
MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
\Users\Admin\37934803\mvrjfdln.pif
MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
\Users\Admin\37934803\mvrjfdln.pif
MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
\Users\Admin\37934803\mvrjfdln.pif
MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
\Users\Admin\37934803\mvrjfdln.pif
MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
memory/632-64-0x0000000000210000-0x0000000000854000-memory.dmp

Filesize
6.3MB

Download
memory/632-65-0x0000000000210000-0x0000000000854000-memory.dmp

Filesize
6.3MB

Download
memory/632-66-0x0000000000246A2E-mapping.dmp

Download
memory/632-67-0x0000000000210000-0x0000000000854000-memory.dmp

Filesize
6.3MB

Download
memory/632-69-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/1108-58-0x0000000000000000-mapping.dmp

Download
memory/1128-53-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads