agenttesla | 4ed0b0474741e959230eb8a17efbc5e0db94fba7f46499596dd6359b4cf16637

General

Target

4ed0b0474741e959230eb8a17efbc5e0db94fba7f46499596dd6359b4cf16637.exe
Size

1.1MB
MD5

c1b4b9ffcd81e9a4516400f9fc38a4d3
SHA1

3605dec02e7f6480262eb5cae77ada772324bb2b
SHA256

4ed0b0474741e959230eb8a17efbc5e0db94fba7f46499596dd6359b4cf16637
SHA512

f7ff356b06b1eb2f9babc850727907748c50b5868a241a6b4746e92104d806c67b3034a73559a2ca0819c6e4b66e17e1bbcd856ba7ca4d16d3f283e827dd0c5e

Score

10^/10

agenttesla nanocore collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.lko-import.de
Port:
587
Username:
[email protected]
Password:
TVMHSiW5

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-121-0x0000000000A30000-0x0000000000F9C000-memory.dmp	family_agenttesla
behavioral1/memory/2172-122-0x0000000000A675EE-mapping.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

Processes:

edootqca.pif

pid process

3368 edootqca.pif

pid	process
3368	edootqca.pif

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

edootqca.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	edootqca.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\75093774\\edootqca.pif c:\\75093774\\TTBFBS~1.MNA"	edootqca.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

edootqca.pif

description pid process target process

PID 3368 set thread context of 2172 3368 edootqca.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3368 set thread context of 2172	3368	edootqca.pif	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RegSvcs.exeedootqca.pif

pid	process
2172	RegSvcs.exe
2172	RegSvcs.exe
2172	RegSvcs.exe
2172	RegSvcs.exe
3368	edootqca.pif
3368	edootqca.pif
2172	RegSvcs.exe
2172	RegSvcs.exe
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif
3368	edootqca.pif

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2172 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

2172 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2172	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4ed0b0474741e959230eb8a17efbc5e0db94fba7f46499596dd6359b4cf16637.exeedootqca.pif

description	pid	process	target process
PID 1720 wrote to memory of 3368	1720	4ed0b0474741e959230eb8a17efbc5e0db94fba7f46499596dd6359b4cf16637.exe	edootqca.pif
PID 1720 wrote to memory of 3368	1720	4ed0b0474741e959230eb8a17efbc5e0db94fba7f46499596dd6359b4cf16637.exe	edootqca.pif
PID 1720 wrote to memory of 3368	1720	4ed0b0474741e959230eb8a17efbc5e0db94fba7f46499596dd6359b4cf16637.exe	edootqca.pif
PID 3368 wrote to memory of 2172	3368	edootqca.pif	RegSvcs.exe
PID 3368 wrote to memory of 2172	3368	edootqca.pif	RegSvcs.exe
PID 3368 wrote to memory of 2172	3368	edootqca.pif	RegSvcs.exe
PID 3368 wrote to memory of 2172	3368	edootqca.pif	RegSvcs.exe
PID 3368 wrote to memory of 2172	3368	edootqca.pif	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\4ed0b0474741e959230eb8a17efbc5e0db94fba7f46499596dd6359b4cf16637.exe
"C:\Users\Admin\AppData\Local\Temp\4ed0b0474741e959230eb8a17efbc5e0db94fba7f46499596dd6359b4cf16637.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\75093774\edootqca.pif
  "C:\75093774\edootqca.pif" ttbfbsnkx.mna
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:2172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\75093774\edootqca.pif

MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
C:\75093774\edootqca.pif

MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
C:\75093774\fpnworvtra.ppt

MD5
38939658603af998024840687166081f

SHA1
bfdb8628c8a6c5e595a2c847bbeb756940a1e2a3

SHA256
2094a89efd01e941414d28ac31122aea61b0a96979b943e1ea346a9f095afd14

SHA512
8d00dfe951ab06f967d687788b0baed64cb6525f576025b8940234e6a6b5ae845171588d314a65bbebf9291c634092d457fafb44d6cce77e7b3149376226ce9e

Download Submit
C:\75093774\tjvcxqvu.xeo

MD5
1e9004bd0403298a96483c61e1e85995

SHA1
bf9a6d9c00c43ea7b5054c04d0526c695a721e7d

SHA256
a938ab1fd8cbf75992f1165d689911fffe0223479f6f2f6db8f34bb1bd83ebdd

SHA512
c42f9a5c5c4af57b5d37b17ee87539a83926d0357b0079a42042f55a6a3eb5e34ac604dd3b766e951134eeb6e8fcec6094ed7d0ac82ab30338965523a2cda76d

Download Submit
C:\75093774\ttbfbsnkx.mna

MD5
e86bc8d921ac0b38387c090d249ca353

SHA1
9bf5800dbb9502c1e81e39a663de50f76b45da3a

SHA256
7c5658d6106669337a112f20a48a5441deb54d5483a1624cd9c23b061c4a32b2

SHA512
91a714c3911607a54e14fa2a009fc0324db4705bd6f07e7ba02ffaad8eae3b38b579a89aaa9f74c0e7211f1fc2addf5fc1042c7ff9adc58c5506f209bb97cf97

Download Submit
memory/2172-125-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/2172-121-0x0000000000A30000-0x0000000000F9C000-memory.dmp

Filesize
5.4MB

Download
memory/2172-122-0x0000000000A675EE-mapping.dmp

Download
memory/2172-126-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/2172-127-0x00000000056E0000-0x0000000005BDE000-memory.dmp

Filesize
5.0MB

Download
memory/2172-128-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/2172-129-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/2172-130-0x0000000006AF0000-0x0000000006AF1000-memory.dmp

Filesize
4KB

Download
memory/2172-131-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/2172-132-0x00000000056E0000-0x0000000005BDE000-memory.dmp

Filesize
5.0MB

Download
memory/3368-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads