agenttesla | dcf30d6873c46c59ea16df5d1e0cab2f2d8fe00674254040fb2b18906fd3972c

General

Target

REMITTANCE ADVICE IF0112000212823419.pdf..exe
Size

714KB
MD5

1a25e75693b99ad09e55aea29c6f2775
SHA1

127c636848aff40eb37c0bdb325ec7d1c4c3bfca
SHA256

c2bc9f2091a56e2d7045ddc273ba91462252f51baec6e6e62f6d0a08735564dd
SHA512

c3fa5315b9069ce059203273536d42e337504bba5b7c31570298356b32219e487b7ee99d43ad81dbae2bc1e9da06cf0f2c87fedeeb755a921056a5be65daabd2

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.stankovic.hr
Port:
587
Username:
[email protected]
Password:
mp58zg

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/744-138-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Drops file in Drivers directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

REMITTANCE ADVICE IF0112000212823419.pdf..exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	REMITTANCE ADVICE IF0112000212823419.pdf..exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oPLNOE = "C:\\Users\\Admin\\AppData\\Roaming\\oPLNOE\\oPLNOE.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

REMITTANCE ADVICE IF0112000212823419.pdf..exe

description pid process target process

PID 1452 set thread context of 744 1452 REMITTANCE ADVICE IF0112000212823419.pdf..exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2088 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

4168 REG.exe

description	pid	process	target process
PID 1452 set thread context of 744	1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe	RegSvcs.exe

pid	process
2088	schtasks.exe

pid	process
4168	REG.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

REMITTANCE ADVICE IF0112000212823419.pdf..exeRegSvcs.exe

pid	process
1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe
1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe
1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe
1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe
744	RegSvcs.exe
744	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

REMITTANCE ADVICE IF0112000212823419.pdf..exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1452 REMITTANCE ADVICE IF0112000212823419.pdf..exe
Token: SeDebugPrivilege 744 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe
Token: SeDebugPrivilege	744	RegSvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

REMITTANCE ADVICE IF0112000212823419.pdf..exeRegSvcs.exe

description	pid	process	target process
PID 1452 wrote to memory of 2088	1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe	schtasks.exe
PID 1452 wrote to memory of 2088	1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe	schtasks.exe
PID 1452 wrote to memory of 2088	1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe	schtasks.exe
PID 1452 wrote to memory of 744	1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe	RegSvcs.exe
PID 1452 wrote to memory of 744	1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe	RegSvcs.exe
PID 1452 wrote to memory of 744	1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe	RegSvcs.exe
PID 1452 wrote to memory of 744	1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe	RegSvcs.exe
PID 1452 wrote to memory of 744	1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe	RegSvcs.exe
PID 1452 wrote to memory of 744	1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe	RegSvcs.exe
PID 1452 wrote to memory of 744	1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe	RegSvcs.exe
PID 1452 wrote to memory of 744	1452	REMITTANCE ADVICE IF0112000212823419.pdf..exe	RegSvcs.exe
PID 744 wrote to memory of 4168	744	RegSvcs.exe	REG.exe
PID 744 wrote to memory of 4168	744	RegSvcs.exe	REG.exe
PID 744 wrote to memory of 4168	744	RegSvcs.exe	REG.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\REMITTANCE ADVICE IF0112000212823419.pdf..exe
"C:\Users\Admin\AppData\Local\Temp\REMITTANCE ADVICE IF0112000212823419.pdf..exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D57.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - Drops file in Drivers directory
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:744
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f
    3⤵
    - Modifies registry key
    PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3D57.tmp

Filesize
1KB

MD5
ab9f8a9574d9209cd8666decb37e33cc

SHA1
b768b98d37b96bcf5eeeb4bae10589a196b66db2

SHA256
2c052172f943620c36053efd2ab1d6ef9fbb671c55669b9f49430f0f7acd7704

SHA512
5059538580cce17a2c7516e3117297310455e38ff32d51c6e17ef188448ce3567f9c968ad478df725ed2ce8630ceee2340246264a6e60877895591a67d45da70

Download Submit
memory/744-137-0x0000000000000000-mapping.dmp

Download
memory/744-138-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/744-139-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/744-140-0x0000000006C40000-0x0000000006C90000-memory.dmp

Filesize
320KB

Download
memory/1452-130-0x0000000000E30000-0x0000000000EE8000-memory.dmp

Filesize
736KB

Download
memory/1452-131-0x0000000005D30000-0x00000000062D4000-memory.dmp

Filesize
5.6MB

Download
memory/1452-132-0x0000000005880000-0x0000000005912000-memory.dmp

Filesize
584KB

Download
memory/1452-133-0x0000000005930000-0x000000000593A000-memory.dmp

Filesize
40KB

Download
memory/1452-134-0x0000000009270000-0x000000000930C000-memory.dmp

Filesize
624KB

Download
memory/2088-135-0x0000000000000000-mapping.dmp

Download
memory/4168-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads