agenttesla | ec518c3d2b91a2d64ee75f7962c4131c0dbd68ed3b5c94304277baabdab1b335

General

Target

Order 00041221.exe
Size

503KB
MD5

7bfc35c1ab9e7be4e27af84de38e439f
SHA1

5f27b8402d22516e6b7e89527fd1a18bc4c4a727
SHA256

ec518c3d2b91a2d64ee75f7962c4131c0dbd68ed3b5c94304277baabdab1b335
SHA512

1e2b216efb16722bce9bc1939966a54e6951013f1f7943712be2d6c181e8f0544c86be5d10b9470d66bec4e87879d10bd9581f75900457ad9e97e080ad43bef0

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.topfrozenfoodbrand.com
Port:
587
Username:
[email protected]
Password:
Chukwudim28@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/700-125-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/700-126-0x0000000000436D9E-mapping.dmp	family_agenttesla

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Order 00041221.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order 00041221.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order 00041221.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order 00041221.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Order 00041221.exe

description pid process target process

PID 2668 set thread context of 700 2668 Order 00041221.exe Order 00041221.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Order 00041221.exe

pid process

700 Order 00041221.exe
700 Order 00041221.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Order 00041221.exe

description pid process

Token: SeDebugPrivilege 700 Order 00041221.exe

description	pid	process	target process
PID 2668 set thread context of 700	2668	Order 00041221.exe	Order 00041221.exe

pid	process
700	Order 00041221.exe
700	Order 00041221.exe

description	pid	process
Token: SeDebugPrivilege	700	Order 00041221.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Order 00041221.exe

description	pid	process	target process
PID 2668 wrote to memory of 700	2668	Order 00041221.exe	Order 00041221.exe
PID 2668 wrote to memory of 700	2668	Order 00041221.exe	Order 00041221.exe
PID 2668 wrote to memory of 700	2668	Order 00041221.exe	Order 00041221.exe
PID 2668 wrote to memory of 700	2668	Order 00041221.exe	Order 00041221.exe
PID 2668 wrote to memory of 700	2668	Order 00041221.exe	Order 00041221.exe
PID 2668 wrote to memory of 700	2668	Order 00041221.exe	Order 00041221.exe
PID 2668 wrote to memory of 700	2668	Order 00041221.exe	Order 00041221.exe
PID 2668 wrote to memory of 700	2668	Order 00041221.exe	Order 00041221.exe

outlook_office_path 1 IoCs

Processes:

Order 00041221.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order 00041221.exe

outlook_win_path 1 IoCs

Processes:

Order 00041221.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Order 00041221.exe

C:\Users\Admin\AppData\Local\Temp\Order 00041221.exe
"C:\Users\Admin\AppData\Local\Temp\Order 00041221.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\Order 00041221.exe
"C:\Users\Admin\AppData\Local\Temp\Order 00041221.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order 00041221.exe.log

MD5
f1181bc4bdff57024c4121f645548332

SHA1
d431ee3a3a5afcae2c4537b1d445054a0a95f6e6

SHA256
f1a7e138b25d0cb24bb4b23bd781b0dd357afd49d45e19ffa44cdb80170336ad

SHA512
cf8059f289bcb4f33e82a2c4851fade486bd449793a39718d49bc357efd09689150aedd277c5ebcf79b5ebb4bbe36f0cbb72510a50398bee804ffd9c889604e3

Download Submit
memory/700-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/700-134-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/700-133-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/700-132-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/700-126-0x0000000000436D9E-mapping.dmp

Download
memory/2668-119-0x0000000004980000-0x0000000004E7E000-memory.dmp

Filesize
5.0MB

Download
memory/2668-123-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/2668-124-0x0000000007270000-0x00000000072D9000-memory.dmp

Filesize
420KB

Download
memory/2668-122-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/2668-121-0x0000000004CF0000-0x0000000004CF8000-memory.dmp

Filesize
32KB

Download
memory/2668-120-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/2668-115-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2668-118-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/2668-117-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads