agenttesla | 4ed0b0474741e959230eb8a17efbc5e0db94fba7f46499596dd6359b4cf16637

General

Target

c1b4b9ffcd81e9a4516400f9fc38a4d3.exe
Size

1.1MB
MD5

c1b4b9ffcd81e9a4516400f9fc38a4d3
SHA1

3605dec02e7f6480262eb5cae77ada772324bb2b
SHA256

4ed0b0474741e959230eb8a17efbc5e0db94fba7f46499596dd6359b4cf16637
SHA512

f7ff356b06b1eb2f9babc850727907748c50b5868a241a6b4746e92104d806c67b3034a73559a2ca0819c6e4b66e17e1bbcd856ba7ca4d16d3f283e827dd0c5e

Score

10^/10

agenttesla nanocore collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.lko-import.de
Port:
587
Username:
[email protected]
Password:
TVMHSiW5

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1052-125-0x0000000001100000-0x00000000015EB000-memory.dmp	family_agenttesla
behavioral2/memory/1052-126-0x00000000011375EE-mapping.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

edootqca.pifedootqca.pif

pid process

1328 edootqca.pif
2004 edootqca.pif

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

edootqca.pifedootqca.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	edootqca.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\75093774\\edootqca.pif c:\\75093774\\TTBFBS~1.MNA"	edootqca.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	edootqca.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\75093774\\edootqca.pif c:\\75093774\\TTBFBS~1.MNA"	edootqca.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

edootqca.pif

description pid process target process

PID 2004 set thread context of 1052 2004 edootqca.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

edootqca.pif

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings edootqca.pif

description	pid	process	target process
PID 2004 set thread context of 1052	2004	edootqca.pif	RegSvcs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	edootqca.pif

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

edootqca.pifedootqca.pifRegSvcs.exe

pid	process
1328	edootqca.pif
1328	edootqca.pif
1328	edootqca.pif
1328	edootqca.pif
1328	edootqca.pif
1328	edootqca.pif
1328	edootqca.pif
1328	edootqca.pif
1328	edootqca.pif
1328	edootqca.pif
1328	edootqca.pif
1328	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
1052	RegSvcs.exe
1052	RegSvcs.exe
1052	RegSvcs.exe
1052	RegSvcs.exe
1052	RegSvcs.exe
1052	RegSvcs.exe
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif
2004	edootqca.pif

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1052 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

1052 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1052	RegSvcs.exe

pid	process
1052	RegSvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

c1b4b9ffcd81e9a4516400f9fc38a4d3.exeedootqca.pifWScript.exeedootqca.pif

description	pid	process	target process
PID 2160 wrote to memory of 1328	2160	c1b4b9ffcd81e9a4516400f9fc38a4d3.exe	edootqca.pif
PID 2160 wrote to memory of 1328	2160	c1b4b9ffcd81e9a4516400f9fc38a4d3.exe	edootqca.pif
PID 2160 wrote to memory of 1328	2160	c1b4b9ffcd81e9a4516400f9fc38a4d3.exe	edootqca.pif
PID 1328 wrote to memory of 3144	1328	edootqca.pif	WScript.exe
PID 1328 wrote to memory of 3144	1328	edootqca.pif	WScript.exe
PID 1328 wrote to memory of 3144	1328	edootqca.pif	WScript.exe
PID 3144 wrote to memory of 2004	3144	WScript.exe	edootqca.pif
PID 3144 wrote to memory of 2004	3144	WScript.exe	edootqca.pif
PID 3144 wrote to memory of 2004	3144	WScript.exe	edootqca.pif
PID 2004 wrote to memory of 1052	2004	edootqca.pif	RegSvcs.exe
PID 2004 wrote to memory of 1052	2004	edootqca.pif	RegSvcs.exe
PID 2004 wrote to memory of 1052	2004	edootqca.pif	RegSvcs.exe
PID 2004 wrote to memory of 1052	2004	edootqca.pif	RegSvcs.exe
PID 2004 wrote to memory of 1052	2004	edootqca.pif	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\c1b4b9ffcd81e9a4516400f9fc38a4d3.exe
"C:\Users\Admin\AppData\Local\Temp\c1b4b9ffcd81e9a4516400f9fc38a4d3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\75093774\edootqca.pif
  "C:\75093774\edootqca.pif" ttbfbsnkx.mna
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\75093774\run.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\75093774\edootqca.pif
      "C:\75093774\edootqca.pif" ttbfbsnkx.mna
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        outlook_office_path
        outlook_win_path
        
        PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\75093774\edootqca.pif

MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
C:\75093774\edootqca.pif

MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
C:\75093774\edootqca.pif

MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
C:\75093774\fpnworvtra.ppt

MD5
38939658603af998024840687166081f

SHA1
bfdb8628c8a6c5e595a2c847bbeb756940a1e2a3

SHA256
2094a89efd01e941414d28ac31122aea61b0a96979b943e1ea346a9f095afd14

SHA512
8d00dfe951ab06f967d687788b0baed64cb6525f576025b8940234e6a6b5ae845171588d314a65bbebf9291c634092d457fafb44d6cce77e7b3149376226ce9e

Download Submit
C:\75093774\run.vbs

MD5
d81275240c2366091efdb312489a650d

SHA1
e7ce977c11a260c384ad434dad9737a3e94605fe

SHA256
978a647a98ed15a53d655f0abf34549db7ab647a8fd87117e9c6af1a31f5daf9

SHA512
b7ac2f55c34b2098c3968647fb806289fdff9b2de6bd7ae28523112a087627106613551b7ec19f7675fbe850580c28a0f57099c90a0f7e6dfec3cbd5edc5642a

Download Submit
C:\75093774\tjvcxqvu.xeo

MD5
1e9004bd0403298a96483c61e1e85995

SHA1
bf9a6d9c00c43ea7b5054c04d0526c695a721e7d

SHA256
a938ab1fd8cbf75992f1165d689911fffe0223479f6f2f6db8f34bb1bd83ebdd

SHA512
c42f9a5c5c4af57b5d37b17ee87539a83926d0357b0079a42042f55a6a3eb5e34ac604dd3b766e951134eeb6e8fcec6094ed7d0ac82ab30338965523a2cda76d

Download Submit
C:\75093774\ttbfbsnkx.mna

MD5
e86bc8d921ac0b38387c090d249ca353

SHA1
9bf5800dbb9502c1e81e39a663de50f76b45da3a

SHA256
7c5658d6106669337a112f20a48a5441deb54d5483a1624cd9c23b061c4a32b2

SHA512
91a714c3911607a54e14fa2a009fc0324db4705bd6f07e7ba02ffaad8eae3b38b579a89aaa9f74c0e7211f1fc2addf5fc1042c7ff9adc58c5506f209bb97cf97

Download Submit
memory/1052-125-0x0000000001100000-0x00000000015EB000-memory.dmp

Filesize
4.9MB

Download
memory/1052-126-0x00000000011375EE-mapping.dmp

Download
memory/1052-129-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/1052-130-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/1052-131-0x0000000005BC0000-0x00000000060BE000-memory.dmp

Filesize
5.0MB

Download
memory/1052-132-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/1052-133-0x00000000068B0000-0x00000000068B1000-memory.dmp

Filesize
4KB

Download
memory/1052-134-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/1052-135-0x0000000006C40000-0x0000000006C41000-memory.dmp

Filesize
4KB

Download
memory/1052-136-0x0000000005BC0000-0x00000000060BE000-memory.dmp

Filesize
5.0MB

Download
memory/1328-115-0x0000000000000000-mapping.dmp

Download
memory/2004-123-0x0000000000000000-mapping.dmp

Download
memory/3144-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads