agenttesla | 6500927c19e228cc116484a103ba594fdeadccf06159332ead8cc9b3d9da83db

General

Target

033304a9a935c4d0d64769245abfe3ae.exe
Size

350KB
MD5

033304a9a935c4d0d64769245abfe3ae
SHA1

ebe539aeb57b78a3ad8085fe61dcc5ce3bfb6fd9
SHA256

6500927c19e228cc116484a103ba594fdeadccf06159332ead8cc9b3d9da83db
SHA512

f9da9c01941b5694c46d9b8f1fb4d4710a025409b672eb62ca913979f0aa26fc1ac8eb922388c4c29c8f7405ad268a871221cd38b0494c18936612756af021c0

Score

10^/10

agenttesla neshta collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

033304a9a935c4d0d64769245abfe3ae.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	033304a9a935c4d0d64769245abfe3ae.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/568-62-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/568-63-0x000000000040188B-mapping.dmp	family_agenttesla
behavioral1/memory/568-66-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/568-67-0x0000000002170000-0x00000000021A7000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

033304a9a935c4d0d64769245abfe3ae.exe033304a9a935c4d0d64769245abfe3ae.exe

pid process

1112 033304a9a935c4d0d64769245abfe3ae.exe
568 033304a9a935c4d0d64769245abfe3ae.exe

pid	process
1112	033304a9a935c4d0d64769245abfe3ae.exe
568	033304a9a935c4d0d64769245abfe3ae.exe

Loads dropped DLL 4 IoCs

Processes:

033304a9a935c4d0d64769245abfe3ae.exe033304a9a935c4d0d64769245abfe3ae.exe

pid	process
800	033304a9a935c4d0d64769245abfe3ae.exe
1112	033304a9a935c4d0d64769245abfe3ae.exe
1112	033304a9a935c4d0d64769245abfe3ae.exe
800	033304a9a935c4d0d64769245abfe3ae.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

033304a9a935c4d0d64769245abfe3ae.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	033304a9a935c4d0d64769245abfe3ae.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	033304a9a935c4d0d64769245abfe3ae.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	033304a9a935c4d0d64769245abfe3ae.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

033304a9a935c4d0d64769245abfe3ae.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\myApp = "C:\\Users\\Admin\\AppData\\Roaming\\myApp\\myApp.exe"	033304a9a935c4d0d64769245abfe3ae.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

033304a9a935c4d0d64769245abfe3ae.exe

description pid process target process

PID 1112 set thread context of 568 1112 033304a9a935c4d0d64769245abfe3ae.exe 033304a9a935c4d0d64769245abfe3ae.exe

description	pid	process	target process
PID 1112 set thread context of 568	1112	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe

Drops file in Program Files directory 7 IoCs

Processes:

033304a9a935c4d0d64769245abfe3ae.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	033304a9a935c4d0d64769245abfe3ae.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	033304a9a935c4d0d64769245abfe3ae.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	033304a9a935c4d0d64769245abfe3ae.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	033304a9a935c4d0d64769245abfe3ae.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	033304a9a935c4d0d64769245abfe3ae.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	033304a9a935c4d0d64769245abfe3ae.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	033304a9a935c4d0d64769245abfe3ae.exe

Drops file in Windows directory 1 IoCs

Processes:

033304a9a935c4d0d64769245abfe3ae.exe

description ioc process

File opened for modification C:\Windows\svchost.com 033304a9a935c4d0d64769245abfe3ae.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	033304a9a935c4d0d64769245abfe3ae.exe

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe	nsis_installer_2

Modifies registry class 1 IoCs

Processes:

033304a9a935c4d0d64769245abfe3ae.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	033304a9a935c4d0d64769245abfe3ae.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

033304a9a935c4d0d64769245abfe3ae.exe

pid process

568 033304a9a935c4d0d64769245abfe3ae.exe
568 033304a9a935c4d0d64769245abfe3ae.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

033304a9a935c4d0d64769245abfe3ae.exe

description pid process

Token: SeDebugPrivilege 568 033304a9a935c4d0d64769245abfe3ae.exe

pid	process
568	033304a9a935c4d0d64769245abfe3ae.exe
568	033304a9a935c4d0d64769245abfe3ae.exe

description	pid	process
Token: SeDebugPrivilege	568	033304a9a935c4d0d64769245abfe3ae.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

033304a9a935c4d0d64769245abfe3ae.exe033304a9a935c4d0d64769245abfe3ae.exe

outlook_office_path 1 IoCs

Processes:

033304a9a935c4d0d64769245abfe3ae.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	033304a9a935c4d0d64769245abfe3ae.exe

outlook_win_path 1 IoCs

Processes:

033304a9a935c4d0d64769245abfe3ae.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	033304a9a935c4d0d64769245abfe3ae.exe

C:\Users\Admin\AppData\Local\Temp\033304a9a935c4d0d64769245abfe3ae.exe
"C:\Users\Admin\AppData\Local\Temp\033304a9a935c4d0d64769245abfe3ae.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe

MD5
01d37a2dc0153678b509ed07c2891014

SHA1
78a1710974bbec3de74f27c0f0574b6bb2c43e65

SHA256
284a7b827997880f862d34ae032872879702666ede431949cd345bc13544772c

SHA512
64a893554834d531cf9ee649ea9978c4b814bf0a6ef2e04eb01a9248848299acb6d712340aa0abbaddc18fd16c72e2a4da257b202cef7a4fd82ba99fc9835f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe

MD5
01d37a2dc0153678b509ed07c2891014

SHA1
78a1710974bbec3de74f27c0f0574b6bb2c43e65

SHA256
284a7b827997880f862d34ae032872879702666ede431949cd345bc13544772c

SHA512
64a893554834d531cf9ee649ea9978c4b814bf0a6ef2e04eb01a9248848299acb6d712340aa0abbaddc18fd16c72e2a4da257b202cef7a4fd82ba99fc9835f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe

MD5
01d37a2dc0153678b509ed07c2891014

SHA1
78a1710974bbec3de74f27c0f0574b6bb2c43e65

SHA256
284a7b827997880f862d34ae032872879702666ede431949cd345bc13544772c

SHA512
64a893554834d531cf9ee649ea9978c4b814bf0a6ef2e04eb01a9248848299acb6d712340aa0abbaddc18fd16c72e2a4da257b202cef7a4fd82ba99fc9835f9e

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe

MD5
01d37a2dc0153678b509ed07c2891014

SHA1
78a1710974bbec3de74f27c0f0574b6bb2c43e65

SHA256
284a7b827997880f862d34ae032872879702666ede431949cd345bc13544772c

SHA512
64a893554834d531cf9ee649ea9978c4b814bf0a6ef2e04eb01a9248848299acb6d712340aa0abbaddc18fd16c72e2a4da257b202cef7a4fd82ba99fc9835f9e

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\033304a9a935c4d0d64769245abfe3ae.exe

MD5
01d37a2dc0153678b509ed07c2891014

SHA1
78a1710974bbec3de74f27c0f0574b6bb2c43e65

SHA256
284a7b827997880f862d34ae032872879702666ede431949cd345bc13544772c

SHA512
64a893554834d531cf9ee649ea9978c4b814bf0a6ef2e04eb01a9248848299acb6d712340aa0abbaddc18fd16c72e2a4da257b202cef7a4fd82ba99fc9835f9e

Download Submit
\Users\Admin\AppData\Local\Temp\nsiC063.tmp\cxzqpbmkny.dll

MD5
e339d7fbe34086431a548b4ec483795f

SHA1
79b1d34dd81828e2884dcaeeff462cf3228878c9

SHA256
21a03f3f38f200bdd4bc3906a25b5d344aecb15c3842528c195b381b50baecee

SHA512
30bcc40d6decf58c66d8256f27f16cc497d118595dc7f891e509fbae66386767e67e71ae04fe2ad7dcd380f82dfc1e21c4fe337c08724ca7f9e0028dc4d5a201

Download Submit
memory/568-66-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/568-63-0x000000000040188B-mapping.dmp

Download
memory/568-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/568-67-0x0000000002170000-0x00000000021A7000-memory.dmp

Filesize
220KB

Download
memory/568-71-0x0000000001FD2000-0x0000000001FD3000-memory.dmp

Filesize
4KB

Download
memory/568-70-0x0000000001FD1000-0x0000000001FD2000-memory.dmp

Filesize
4KB

Download
memory/568-73-0x0000000001FD4000-0x0000000001FD5000-memory.dmp

Filesize
4KB

Download
memory/568-72-0x0000000001FD3000-0x0000000001FD4000-memory.dmp

Filesize
4KB

Download
memory/800-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1112-56-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 800 wrote to memory of 1112	800	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe
PID 800 wrote to memory of 1112	800	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe
PID 800 wrote to memory of 1112	800	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe
PID 800 wrote to memory of 1112	800	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe
PID 1112 wrote to memory of 568	1112	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe
PID 1112 wrote to memory of 568	1112	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe
PID 1112 wrote to memory of 568	1112	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe
PID 1112 wrote to memory of 568	1112	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe
PID 1112 wrote to memory of 568	1112	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe
PID 1112 wrote to memory of 568	1112	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe
PID 1112 wrote to memory of 568	1112	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe
PID 1112 wrote to memory of 568	1112	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe
PID 1112 wrote to memory of 568	1112	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe
PID 1112 wrote to memory of 568	1112	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe
PID 1112 wrote to memory of 568	1112	033304a9a935c4d0d64769245abfe3ae.exe	033304a9a935c4d0d64769245abfe3ae.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads