agenttesla | f4b03241b05ab574499decb9f59ceabc87509849569c614df462a2fa92c6f4ad

General

Target

67d11389f8d2c4dc8a0fd1cf62dec2aa.exe
Size

1.0MB
MD5

67d11389f8d2c4dc8a0fd1cf62dec2aa
SHA1

f0f1e579c6740b18855adc02bc8c800667648d9c
SHA256

f4b03241b05ab574499decb9f59ceabc87509849569c614df462a2fa92c6f4ad
SHA512

4bda7f26e015fca265d2b201351b93369d30ef4ab08e2d759ac29a67a485b62f723daf6ee570005ea42d4d2ea47e961ed8ae9c5383ac114e3aa5b9732c0d200e

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.lko-import.de
Port:
587
Username:
[email protected]
Password:
TVMHSiW5

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/624-67-0x00000000002F0000-0x000000000091F000-memory.dmp	family_agenttesla
behavioral1/memory/624-68-0x00000000003275BE-mapping.dmp	family_agenttesla
behavioral1/memory/624-69-0x00000000002F0000-0x000000000091F000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

Processes:

umpqpe.pif

pid process

568 umpqpe.pif

pid	process
568	umpqpe.pif

Loads dropped DLL 4 IoCs

Processes:

67d11389f8d2c4dc8a0fd1cf62dec2aa.exe

pid	process
956	67d11389f8d2c4dc8a0fd1cf62dec2aa.exe
956	67d11389f8d2c4dc8a0fd1cf62dec2aa.exe
956	67d11389f8d2c4dc8a0fd1cf62dec2aa.exe
956	67d11389f8d2c4dc8a0fd1cf62dec2aa.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\eBbIsjQ = "C:\\Users\\Admin\\AppData\\Roaming\\eBbIsjQ\\eBbIsjQ.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

umpqpe.pif

description pid process target process

PID 568 set thread context of 624 568 umpqpe.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegSvcs.exe

pid process

624 RegSvcs.exe
624 RegSvcs.exe
624 RegSvcs.exe
624 RegSvcs.exe
624 RegSvcs.exe
624 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 624 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

624 RegSvcs.exe

description	pid	process	target process
PID 568 set thread context of 624	568	umpqpe.pif	RegSvcs.exe

pid	process
624	RegSvcs.exe
624	RegSvcs.exe
624	RegSvcs.exe
624	RegSvcs.exe
624	RegSvcs.exe
624	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	624	RegSvcs.exe

pid	process
624	RegSvcs.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

67d11389f8d2c4dc8a0fd1cf62dec2aa.exeumpqpe.pif

description	pid	process	target process
PID 956 wrote to memory of 568	956	67d11389f8d2c4dc8a0fd1cf62dec2aa.exe	umpqpe.pif
PID 956 wrote to memory of 568	956	67d11389f8d2c4dc8a0fd1cf62dec2aa.exe	umpqpe.pif
PID 956 wrote to memory of 568	956	67d11389f8d2c4dc8a0fd1cf62dec2aa.exe	umpqpe.pif
PID 956 wrote to memory of 568	956	67d11389f8d2c4dc8a0fd1cf62dec2aa.exe	umpqpe.pif
PID 568 wrote to memory of 624	568	umpqpe.pif	RegSvcs.exe
PID 568 wrote to memory of 624	568	umpqpe.pif	RegSvcs.exe
PID 568 wrote to memory of 624	568	umpqpe.pif	RegSvcs.exe
PID 568 wrote to memory of 624	568	umpqpe.pif	RegSvcs.exe
PID 568 wrote to memory of 624	568	umpqpe.pif	RegSvcs.exe
PID 568 wrote to memory of 624	568	umpqpe.pif	RegSvcs.exe
PID 568 wrote to memory of 624	568	umpqpe.pif	RegSvcs.exe
PID 568 wrote to memory of 624	568	umpqpe.pif	RegSvcs.exe
PID 568 wrote to memory of 624	568	umpqpe.pif	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\67d11389f8d2c4dc8a0fd1cf62dec2aa.exe
"C:\Users\Admin\AppData\Local\Temp\67d11389f8d2c4dc8a0fd1cf62dec2aa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\91823219\umpqpe.pif
"C:\Users\Admin\91823219\umpqpe.pif" gxvdsxoiqj.hob
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:624

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\91823219\gxvdsxoiqj.hob
MD5
fd6736ddb472cecbc84e9832c471264c

SHA1
7f77e2f8cd842a8a24519ccd294685a3a7257c36

SHA256
552fa2f5e5d01a6c1d4e363c085798863c8b99093990a7c8d16232f056f19ed7

SHA512
527eef9d7bdaad169498b667ba3c9dada8331893e5a82179f59a8d19549f9aa67ec961931edcfd62052c55112571ec9f29fc749afd120dcb88bccca460570ac4

Download Submit
C:\Users\Admin\91823219\outajpxr.jjq
MD5
034ebdc78d0a5481385f6ad0db2d291d

SHA1
12bf2fdd37f7b7624a552e84c859dfb055f33649

SHA256
e997d10216844e9570d473ffe64eb01259b714ba269697475dc44e2a2f197da5

SHA512
f0f9487628e31e6001b703fe7f178e0d2128cbff4884ca26a984fc4591d5f72d2d32f4646b97c8c69da51bddecaed05e3dfd5a6c7ec415ec27aa5ebf02fe1329

Download Submit
C:\Users\Admin\91823219\umpqpe.pif
MD5
e1f85da023a9f5784e38a37c16c777e6

SHA1
6623fe6bb1903311cfa96ebdcd25822bc4f221ef

SHA256
f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162

SHA512
28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

Download Submit
C:\Users\Admin\91823219\usbjhrq.ico
MD5
aa6ab98e6778af792fded87a3413911c

SHA1
cba49b4d569c4175783b3c7d166812b62d270c64

SHA256
810528a6c02c27505ba797693c557d8c1cb3bfc8488674e55cb4360afacf52be

SHA512
1ffdcdbc3afed352aeeb1c35144d1e7b73c261d979b2f26ffc43be1c865e2391e210408f40e4f7fa703752aa404d48cc63ef4e500bfaa0df941482e7c0b737fe

Download Submit
\Users\Admin\91823219\umpqpe.pif
MD5
e1f85da023a9f5784e38a37c16c777e6

SHA1
6623fe6bb1903311cfa96ebdcd25822bc4f221ef

SHA256
f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162

SHA512
28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

Download Submit
\Users\Admin\91823219\umpqpe.pif
MD5
e1f85da023a9f5784e38a37c16c777e6

SHA1
6623fe6bb1903311cfa96ebdcd25822bc4f221ef

SHA256
f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162

SHA512
28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

Download Submit
\Users\Admin\91823219\umpqpe.pif
MD5
e1f85da023a9f5784e38a37c16c777e6

SHA1
6623fe6bb1903311cfa96ebdcd25822bc4f221ef

SHA256
f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162

SHA512
28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

Download Submit
\Users\Admin\91823219\umpqpe.pif
MD5
e1f85da023a9f5784e38a37c16c777e6

SHA1
6623fe6bb1903311cfa96ebdcd25822bc4f221ef

SHA256
f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162

SHA512
28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

Download Submit
memory/568-60-0x0000000000000000-mapping.dmp

Download
memory/624-66-0x00000000002F0000-0x000000000091F000-memory.dmp

Filesize
6.2MB

Download
memory/624-67-0x00000000002F0000-0x000000000091F000-memory.dmp

Filesize
6.2MB

Download
memory/624-68-0x00000000003275BE-mapping.dmp

Download
memory/624-69-0x00000000002F0000-0x000000000091F000-memory.dmp

Filesize
6.2MB

Download
memory/624-71-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/624-72-0x0000000004F21000-0x0000000004F22000-memory.dmp

Filesize
4KB

Download
memory/956-55-0x0000000075F41000-0x0000000075F43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads