agenttesla | 04a990af9ec733087cd99c0923184bca77cdd9ac0212383bcdeeca36dfa60abf

General

Target

PO INOXIA-2020082.exe
Size

424KB
MD5

f19e40c4a17e876861224a3bdf4865db
SHA1

7c128d123de06af4fdb9448aab02ae952ca0896a
SHA256

89783698af3d7850d24aab49842448e97ea61977ceb7133d501057349d8cbffe
SHA512

e2912aefb14683aae061fff3db8590622fe7da72c88d05f8b32045090a432b274175ac3a3705e2620888380762249d987bcb73eade2c05c8c42d44f1e8adc083

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
alibaba123

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
alibaba123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2696-134-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

PO INOXIA-2020082.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO INOXIA-2020082.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO INOXIA-2020082.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO INOXIA-2020082.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PO INOXIA-2020082.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YwxGLc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YwxGLc\\YwxGLc.exe"	PO INOXIA-2020082.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO INOXIA-2020082.exe

description pid process target process

PID 1536 set thread context of 2696 1536 PO INOXIA-2020082.exe PO INOXIA-2020082.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

PO INOXIA-2020082.exePO INOXIA-2020082.exe

pid process

1536 PO INOXIA-2020082.exe
1536 PO INOXIA-2020082.exe
1536 PO INOXIA-2020082.exe
2696 PO INOXIA-2020082.exe
2696 PO INOXIA-2020082.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO INOXIA-2020082.exePO INOXIA-2020082.exe

description pid process

Token: SeDebugPrivilege 1536 PO INOXIA-2020082.exe
Token: SeDebugPrivilege 2696 PO INOXIA-2020082.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PO INOXIA-2020082.exe

pid process

2696 PO INOXIA-2020082.exe

description	pid	process	target process
PID 1536 set thread context of 2696	1536	PO INOXIA-2020082.exe	PO INOXIA-2020082.exe

pid	process
1536	PO INOXIA-2020082.exe
1536	PO INOXIA-2020082.exe
1536	PO INOXIA-2020082.exe
2696	PO INOXIA-2020082.exe
2696	PO INOXIA-2020082.exe

description	pid	process
Token: SeDebugPrivilege	1536	PO INOXIA-2020082.exe
Token: SeDebugPrivilege	2696	PO INOXIA-2020082.exe

pid	process
2696	PO INOXIA-2020082.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

PO INOXIA-2020082.exe

description	pid	process	target process
PID 1536 wrote to memory of 2696	1536	PO INOXIA-2020082.exe	PO INOXIA-2020082.exe
PID 1536 wrote to memory of 2696	1536	PO INOXIA-2020082.exe	PO INOXIA-2020082.exe
PID 1536 wrote to memory of 2696	1536	PO INOXIA-2020082.exe	PO INOXIA-2020082.exe
PID 1536 wrote to memory of 2696	1536	PO INOXIA-2020082.exe	PO INOXIA-2020082.exe
PID 1536 wrote to memory of 2696	1536	PO INOXIA-2020082.exe	PO INOXIA-2020082.exe
PID 1536 wrote to memory of 2696	1536	PO INOXIA-2020082.exe	PO INOXIA-2020082.exe
PID 1536 wrote to memory of 2696	1536	PO INOXIA-2020082.exe	PO INOXIA-2020082.exe
PID 1536 wrote to memory of 2696	1536	PO INOXIA-2020082.exe	PO INOXIA-2020082.exe

outlook_office_path 1 IoCs

Processes:

PO INOXIA-2020082.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO INOXIA-2020082.exe

outlook_win_path 1 IoCs

Processes:

PO INOXIA-2020082.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO INOXIA-2020082.exe

C:\Users\Admin\AppData\Local\Temp\PO INOXIA-2020082.exe
"C:\Users\Admin\AppData\Local\Temp\PO INOXIA-2020082.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\PO INOXIA-2020082.exe
"C:\Users\Admin\AppData\Local\Temp\PO INOXIA-2020082.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1536-130-0x0000000000800000-0x000000000086E000-memory.dmp

Filesize
440KB

Download
memory/1536-131-0x0000000005FE0000-0x0000000006584000-memory.dmp

Filesize
5.6MB

Download
memory/1536-132-0x0000000005B30000-0x0000000005BC2000-memory.dmp

Filesize
584KB

Download
memory/2696-133-0x0000000000000000-mapping.dmp

Download
memory/2696-134-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2696-135-0x0000000005270000-0x000000000530C000-memory.dmp

Filesize
624KB

Download
memory/2696-136-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/2696-137-0x00000000064E0000-0x0000000006530000-memory.dmp

Filesize
320KB

Download
memory/2696-138-0x0000000006890000-0x000000000689A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads