agenttesla | 750c482a5ed1cc058c1bdfc18bc84d963f03cf75103ff66ea3452128a67bcd0e

General

Target

Purchase Order PO63829.exe
Size

356KB
MD5

b8d994b327b1f42d63e6d9e7294853a0
SHA1

5e6f6dfddffa48bdfd9890f68b456482b40d3b8f
SHA256

750c482a5ed1cc058c1bdfc18bc84d963f03cf75103ff66ea3452128a67bcd0e
SHA512

a6441be339ac71ac91f1416aa7ebf408ddc6b490acb4a82532a16a036d299fd49ccc7aa9b631a61091f28b844ea9bfecf4c2698991d04e01b208a99fc54885f3

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2820-116-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla
behavioral2/memory/2820-117-0x000000000040188B-mapping.dmp	family_agenttesla
behavioral2/memory/2820-118-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla

Loads dropped DLL 1 IoCs

Processes:

Purchase Order PO63829.exe

pid process

1812 Purchase Order PO63829.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1812	Purchase Order PO63829.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Purchase Order PO63829.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order PO63829.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order PO63829.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order PO63829.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Order PO63829.exe

description pid process target process

PID 1812 set thread context of 2820 1812 Purchase Order PO63829.exe Purchase Order PO63829.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Purchase Order PO63829.exe

pid process

2820 Purchase Order PO63829.exe
2820 Purchase Order PO63829.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Purchase Order PO63829.exe

description pid process

Token: SeDebugPrivilege 2820 Purchase Order PO63829.exe

description	pid	process	target process
PID 1812 set thread context of 2820	1812	Purchase Order PO63829.exe	Purchase Order PO63829.exe

pid	process
2820	Purchase Order PO63829.exe
2820	Purchase Order PO63829.exe

description	pid	process
Token: SeDebugPrivilege	2820	Purchase Order PO63829.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Purchase Order PO63829.exe

description	pid	process	target process
PID 1812 wrote to memory of 2820	1812	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1812 wrote to memory of 2820	1812	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1812 wrote to memory of 2820	1812	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1812 wrote to memory of 2820	1812	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1812 wrote to memory of 2820	1812	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1812 wrote to memory of 2820	1812	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1812 wrote to memory of 2820	1812	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1812 wrote to memory of 2820	1812	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1812 wrote to memory of 2820	1812	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1812 wrote to memory of 2820	1812	Purchase Order PO63829.exe	Purchase Order PO63829.exe

outlook_office_path 1 IoCs

Processes:

Purchase Order PO63829.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order PO63829.exe

outlook_win_path 1 IoCs

Processes:

Purchase Order PO63829.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order PO63829.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order PO63829.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order PO63829.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\Purchase Order PO63829.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order PO63829.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsoE783.tmp\cjkxps.dll

MD5
7b019f3a9e8d090da6cba443fd94e6cd

SHA1
ba78720dbd3a43d22a298f9162fd4b7dfd1749f8

SHA256
ccae014473dfa19d867b763bde0529f56b292bf3e225f48c15b2eed6d81983d7

SHA512
21f1a7f7a2fc29726f065b7f6cb913126d1164df75974373d74d131e65499a962ba14e0c7d56d2d733bef4f376c51810987cd3353e800fb8d73a8a23510fa884

Download Submit
memory/2820-116-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2820-117-0x000000000040188B-mapping.dmp

Download
memory/2820-119-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2820-118-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2820-120-0x0000000002401000-0x0000000002402000-memory.dmp

Filesize
4KB

Download
memory/2820-121-0x0000000002402000-0x0000000002404000-memory.dmp

Filesize
8KB

Download
memory/2820-122-0x0000000002407000-0x0000000002408000-memory.dmp

Filesize
4KB

Download
memory/2820-123-0x0000000002408000-0x0000000002409000-memory.dmp

Filesize
4KB

Download
memory/2820-124-0x000000000240D000-0x000000000240F000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads