agenttesla | 0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0

General

Target

0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exe
Size

1002KB
MD5

c486642bfd8b58a3a417a77277412111
SHA1

71ef2fff00f5b2697189693f051b7671e55d1631
SHA256

0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0
SHA512

481b65dfd609245637a12ec01ead81ebffe92be3728b1fbda4662f272872c8df1da0b8423d6ae9f1c0f13b998440f921810a19fc1a85460d03cf227ab7cb0988

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.lko-import.de
Port:
587
Username:
[email protected]
Password:
TVMHSiW5

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/924-121-0x0000000000940000-0x0000000000F6C000-memory.dmp	family_agenttesla
behavioral1/memory/924-122-0x00000000009775BE-mapping.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

Processes:

lvkf.pif

pid process

3848 lvkf.pif

pid	process
3848	lvkf.pif

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\eBbIsjQ = "C:\\Users\\Admin\\AppData\\Roaming\\eBbIsjQ\\eBbIsjQ.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

lvkf.pif

description pid process target process

PID 3848 set thread context of 924 3848 lvkf.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegSvcs.exe

pid process

924 RegSvcs.exe
924 RegSvcs.exe
924 RegSvcs.exe
924 RegSvcs.exe
924 RegSvcs.exe
924 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 924 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

924 RegSvcs.exe

description	pid	process	target process
PID 3848 set thread context of 924	3848	lvkf.pif	RegSvcs.exe

pid	process
924	RegSvcs.exe
924	RegSvcs.exe
924	RegSvcs.exe
924	RegSvcs.exe
924	RegSvcs.exe
924	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	924	RegSvcs.exe

pid	process
924	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exelvkf.pif

description	pid	process	target process
PID 1812 wrote to memory of 3848	1812	0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exe	lvkf.pif
PID 1812 wrote to memory of 3848	1812	0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exe	lvkf.pif
PID 1812 wrote to memory of 3848	1812	0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exe	lvkf.pif
PID 3848 wrote to memory of 924	3848	lvkf.pif	RegSvcs.exe
PID 3848 wrote to memory of 924	3848	lvkf.pif	RegSvcs.exe
PID 3848 wrote to memory of 924	3848	lvkf.pif	RegSvcs.exe
PID 3848 wrote to memory of 924	3848	lvkf.pif	RegSvcs.exe
PID 3848 wrote to memory of 924	3848	lvkf.pif	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exe
"C:\Users\Admin\AppData\Local\Temp\0ba7fc9dbbaac148179236aedbb5193eba1506769f139c0fba91c2d211c0c7b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\15152143\lvkf.pif
"C:\Users\Admin\AppData\Local\Temp\15152143\lvkf.pif" ovlxrej.ckp
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15152143\deappl.ico
MD5
192c9999cc655925c430bf095045155f

SHA1
3dfc783742b675a39961682a39b2cc73559a0758

SHA256
b84c7ef1d2bb5453ed5af71b83e9dae7e2b5746a111fc701c01ce8072324928b

SHA512
8b7e4fef15debbdd96ebcb5bf5799008a74ed5749c1223c802ef8acc254f0c47c2b21b366a3110b3bfb3145dcde9b2ebab5179a7bdf12b5b5e7228bcc2b30fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\15152143\fsmrjcfko.fkw
MD5
e05ee06f2dac2ee5d341234f7190a053

SHA1
2803ac7187aefbc625724687bd955a8cf684ffce

SHA256
3ef26160bf468d7de40a893e08f42e3ca051649082d65b9e300cc0d835619f1a

SHA512
b960137d4a76850f075a920b56f4e554cfc30ba1a76b1594d9e4926fe342fe37bd076a213e00b828bf709fe872427dbcbe5ee92b4c2858675ab1ae5c4cd791ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\15152143\lvkf.pif
MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\15152143\lvkf.pif
MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\15152143\ovlxrej.ckp
MD5
21e1d1c2cb3ce41b78cf86bbc6e498d7

SHA1
3967b546421a25412ffc67c61b2af39d532e9c63

SHA256
2ca036101374829a99c2afc324f72715a7cd781a265c248a575a2f97a5a7caec

SHA512
f61a1dd318ddbec9dbdf163d21c626b33c990045337e85b337e30363fcfa961694829caca17cf37807f544bedc81f41f8802eb7766c69dff712ec446a0120e31

Download Submit
memory/924-121-0x0000000000940000-0x0000000000F6C000-memory.dmp

Filesize
6.2MB

Download
memory/924-122-0x00000000009775BE-mapping.dmp

Download
memory/924-125-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/924-126-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/924-127-0x0000000005560000-0x0000000005A5E000-memory.dmp

Filesize
5.0MB

Download
memory/924-128-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/924-129-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/924-130-0x0000000006990000-0x0000000006991000-memory.dmp

Filesize
4KB

Download
memory/924-131-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/3848-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads