agenttesla | 52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95

Analysis

max time kernel
93s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe
Size

365KB
MD5

00019d1f3a3a41d8ccc18add05089cbc
SHA1

42cf65b7ab2db8393eb49bda857335fc247b0810
SHA256

52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95
SHA512

179a4d583695ca50722ba8d51399388c2bf3faf6616146390591f826881d8aabf83b7b756d627e4c2c6793ab03dc1140fc9554f70ddf82d22196952e7819795d

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.wepmill.website
Port:
587
Username:
[email protected]
Password:
~@Sp$wQecPDi***

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1320-88-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

pid	Process
1364	OyZMVOyYmqQyOLllma5.exe

Loads dropped DLL 3 IoCs

pid	Process
1016	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe
1016	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe
1364	OyZMVOyYmqQyOLllma5.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\OUKelVva = "C:\\Users\\Admin\\AppData\\Roaming\\KgJSxcb\\rjYvA.exe"	RegAsm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1364 set thread context of 1320	1364	OyZMVOyYmqQyOLllma5.exe	35

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1320	RegAsm.exe
1320	RegAsm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1364	OyZMVOyYmqQyOLllma5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1320	RegAsm.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1364	1016	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe	28
PID 1016 wrote to memory of 1364	1016	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe	28
PID 1016 wrote to memory of 1364	1016	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe	28
PID 1016 wrote to memory of 1364	1016	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe	28
PID 1016 wrote to memory of 1364	1016	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe	28
PID 1016 wrote to memory of 1364	1016	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe	28
PID 1016 wrote to memory of 1364	1016	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe	28
PID 1364 wrote to memory of 2044	1364	OyZMVOyYmqQyOLllma5.exe	29
PID 1364 wrote to memory of 2044	1364	OyZMVOyYmqQyOLllma5.exe	29
PID 1364 wrote to memory of 2044	1364	OyZMVOyYmqQyOLllma5.exe	29
PID 1364 wrote to memory of 2044	1364	OyZMVOyYmqQyOLllma5.exe	29
PID 1364 wrote to memory of 2044	1364	OyZMVOyYmqQyOLllma5.exe	29
PID 1364 wrote to memory of 2044	1364	OyZMVOyYmqQyOLllma5.exe	29
PID 1364 wrote to memory of 2044	1364	OyZMVOyYmqQyOLllma5.exe	29
PID 2044 wrote to memory of 1200	2044	csc.exe	31
PID 2044 wrote to memory of 1200	2044	csc.exe	31
PID 2044 wrote to memory of 1200	2044	csc.exe	31
PID 2044 wrote to memory of 1200	2044	csc.exe	31
PID 2044 wrote to memory of 1200	2044	csc.exe	31
PID 2044 wrote to memory of 1200	2044	csc.exe	31
PID 2044 wrote to memory of 1200	2044	csc.exe	31
PID 1364 wrote to memory of 2008	1364	OyZMVOyYmqQyOLllma5.exe	32
PID 1364 wrote to memory of 2008	1364	OyZMVOyYmqQyOLllma5.exe	32
PID 1364 wrote to memory of 2008	1364	OyZMVOyYmqQyOLllma5.exe	32
PID 1364 wrote to memory of 2008	1364	OyZMVOyYmqQyOLllma5.exe	32
PID 1364 wrote to memory of 2008	1364	OyZMVOyYmqQyOLllma5.exe	32
PID 1364 wrote to memory of 2008	1364	OyZMVOyYmqQyOLllma5.exe	32
PID 1364 wrote to memory of 2008	1364	OyZMVOyYmqQyOLllma5.exe	32
PID 2008 wrote to memory of 1100	2008	csc.exe	34
PID 2008 wrote to memory of 1100	2008	csc.exe	34
PID 2008 wrote to memory of 1100	2008	csc.exe	34
PID 2008 wrote to memory of 1100	2008	csc.exe	34
PID 2008 wrote to memory of 1100	2008	csc.exe	34
PID 2008 wrote to memory of 1100	2008	csc.exe	34
PID 2008 wrote to memory of 1100	2008	csc.exe	34
PID 1364 wrote to memory of 1320	1364	OyZMVOyYmqQyOLllma5.exe	35
PID 1364 wrote to memory of 1320	1364	OyZMVOyYmqQyOLllma5.exe	35
PID 1364 wrote to memory of 1320	1364	OyZMVOyYmqQyOLllma5.exe	35
PID 1364 wrote to memory of 1320	1364	OyZMVOyYmqQyOLllma5.exe	35
PID 1364 wrote to memory of 1320	1364	OyZMVOyYmqQyOLllma5.exe	35
PID 1364 wrote to memory of 1320	1364	OyZMVOyYmqQyOLllma5.exe	35
PID 1364 wrote to memory of 1320	1364	OyZMVOyYmqQyOLllma5.exe	35
PID 1364 wrote to memory of 1320	1364	OyZMVOyYmqQyOLllma5.exe	35

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe
"C:\Users\Admin\AppData\Local\Temp\52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OyZMVOyYmqQyOLllma5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OyZMVOyYmqQyOLllma5.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hfgf3ira\hfgf3ira.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBA.tmp" "c:\Users\Admin\AppData\Local\Temp\hfgf3ira\CSCDD1F6A0BA76C4EC0993B2EEFA71342C5.TMP"
      4⤵
      PID:1200
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tvvcbpvx\tvvcbpvx.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES124A.tmp" "c:\Users\Admin\AppData\Local\Temp\tvvcbpvx\CSC6D101337D9F4443901D8FB742908123.TMP"
      4⤵
      PID:1100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OyZMVOyYmqQyOLllm

Filesize
1.2MB

MD5
ff09d0164efc5f51e802232c3eb85d2a

SHA1
746c4c3cb80858f278a9f58e18cdbb43c283669f

SHA256
ad408dcf35be1bd6bfda04a58d6fb3acdc86a364df3736c5dec134e52737ffa3

SHA512
724216619eee3be1e29ea52f01120a13021038014a4b877a2c01969e548e72f1be735320e0d5767301ffcf7566fa7f2d3b26721e6f89fd0e3f88e7e9ae112801

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OyZMVOyYmqQyOLllma5.exe

Filesize
38KB

MD5
513821a3d4f9863d349cfb7dbe98511d

SHA1
79cf9e249f56363884a2ab26b05f71ca0b8a3411

SHA256
bf358c19600b990bb3b8804c1632224b6bdd67f6b642b9705d50644fd97dbc5a

SHA512
5a6cf7bc5166919032c39afbb984447e3401e2a8d2dc9129ee2330d7c9f81c43ad217c3bc23fe0ab0813883a1cdb94a48d50a848bfed74e6aecc28c5026e018d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OyZMVOyYmqQyOLllma5.exe

Filesize
38KB

MD5
513821a3d4f9863d349cfb7dbe98511d

SHA1
79cf9e249f56363884a2ab26b05f71ca0b8a3411

SHA256
bf358c19600b990bb3b8804c1632224b6bdd67f6b642b9705d50644fd97dbc5a

SHA512
5a6cf7bc5166919032c39afbb984447e3401e2a8d2dc9129ee2330d7c9f81c43ad217c3bc23fe0ab0813883a1cdb94a48d50a848bfed74e6aecc28c5026e018d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES124A.tmp

Filesize
1KB

MD5
3694b9045de8f422bb08422c6e764536

SHA1
90238ea849f6bb8d18deab0125b58fa559882894

SHA256
f96b471d1d9def74226f857575984158f4218905a1e348a0b888a6708f11aed9

SHA512
7ee076608377a76be4e5f050e1ac8314cb25ecd2b036f7c40cf25c2fdc2c9d0e3be829dda94ed2f24246378b57a396f9a1410beb7811733d9dfb6eb4e92d72b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFBA.tmp

Filesize
1KB

MD5
33225d804cc5539cea67376b3d7fc91a

SHA1
319ab1d85af657e913a181027d24b2cbe51ce398

SHA256
f892325e51f1b9faec03258724679794d7f37bd800266e269e2d54bb16fb1122

SHA512
ecc0d71ccb72800c507813f8c65bccecec49ee14483329daa5c410d3a590231ea2538a0ade40d196678085b91293ab5a9a97894086bb350fc26529cb64138a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfgf3ira\hfgf3ira.dll

Filesize
839KB

MD5
0e00330e063fcec71e4d2984af4f6f9c

SHA1
9047cf980fc55553df5014f1a768858aa85db6c1

SHA256
f24d1f3165abf95a991d8721273531ec01bee30c9def33686885955b28289a6d

SHA512
428b178447663b5ede6807314478e271e835734172ad54266eeaff50c7c38a7ee625c3204159b7d0c41c9789990f58df7ccb19386ad3df3f021d76d14ef37681

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvvcbpvx\tvvcbpvx.dll

Filesize
839KB

MD5
43825085448415a6e8c389606abb35f5

SHA1
2cc37b44216ae0883bc2eb31aa024c03ee6a5ac0

SHA256
78078bd812ba153035a7040eaed3b64c46b397bf861577d276f28c34169303e1

SHA512
a711bed32693a6d4e39dd8a4fa4b5528014214e708090e116aec1d69e4874b2e805471eba0ce4d771673c80648777c7b556c2ab99c87be8f08be30390bdcb216

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfgf3ira\CSCDD1F6A0BA76C4EC0993B2EEFA71342C5.TMP

Filesize
652B

MD5
5d26a9b0f911d7d079b5925aec6905ca

SHA1
f5b4c8a78e3cc920ef69bb72abe0f15dd75ed718

SHA256
ec2ce1bf1dd4a58e4d9c00e6c6531aabfd80ffc379c7063363e863bf6fa29e04

SHA512
9a69946b99b429cb7383582a9e6112d811641ee03de2bd91f4eae6baabf729cc729aa4aa5cb3590a13c88350db9f86438e1810d8321f32d5241f334238c1dfed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfgf3ira\hfgf3ira.0.cs

Filesize
1.2MB

MD5
a0352bbc3752a5448c80b91f043fe640

SHA1
570cc00e89bda534252f908977f7eddf9906f27a

SHA256
a7280cff8bc8efb0dc2814751d36dacc2ee1e078723012aae73474a7d778616c

SHA512
a0d44fe841e4669399e2f6bd96e55fbae19bad8df0195258ddbd95ce4d8742da318d02f96a8b8f9ceb00cc1e761c3f7f0eb52bbd98a324b68fb4360618275fa0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfgf3ira\hfgf3ira.cmdline

Filesize
302B

MD5
27ce1f697245a5217fc359c3d4ae8136

SHA1
ea97dd685070b242dd4eadb13760853429215312

SHA256
d31f65d660c8fe8a9764b9a66abdff6a1c9b270bd103611fe1d78638e234ff85

SHA512
f241473047bfa1f7c05156229d67589c686ec99546f53eedb003e44f89266b3490f265aca58760f658af709515ceb7f9b7a8c69ce0d009451531a1a7acb91420

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tvvcbpvx\CSC6D101337D9F4443901D8FB742908123.TMP

Filesize
652B

MD5
b311a951610e6447d3b0b106334b8570

SHA1
aab8dc543d327a02d576d02800644b255f7de2b0

SHA256
381dcdd9f939096d972227be4b4df3b1552b53d501701d5990d4f3493610ad3f

SHA512
4645a791676a14b3193d408910d22349347d43f5c5fa2c96f4a920bcf9447f19595752b3496ed6ee260343b1d7aa57063eca78eb204e579ddb204e6b7ed72acd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tvvcbpvx\tvvcbpvx.0.cs

Filesize
1.2MB

MD5
a0352bbc3752a5448c80b91f043fe640

SHA1
570cc00e89bda534252f908977f7eddf9906f27a

SHA256
a7280cff8bc8efb0dc2814751d36dacc2ee1e078723012aae73474a7d778616c

SHA512
a0d44fe841e4669399e2f6bd96e55fbae19bad8df0195258ddbd95ce4d8742da318d02f96a8b8f9ceb00cc1e761c3f7f0eb52bbd98a324b68fb4360618275fa0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tvvcbpvx\tvvcbpvx.cmdline

Filesize
302B

MD5
a520f511f2baae4a475f00f91deaff18

SHA1
5b0bf6f33d599c4c9d3d533390f5976eecc750e3

SHA256
2cb54e3f3aee635b2f3b82532c3980631b13966f02e0641c2212535d1b311228

SHA512
4fec6c1cd3f425cd097c01e73f9dc3e956670221e3cb32126bef3275223321aa3d6e2025c03e2ea106db732243bdc789d315445c7fb551c55e24b9bed3d94887

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\OyZMVOyYmqQyOLllma5.exe

Filesize
38KB

MD5
513821a3d4f9863d349cfb7dbe98511d

SHA1
79cf9e249f56363884a2ab26b05f71ca0b8a3411

SHA256
bf358c19600b990bb3b8804c1632224b6bdd67f6b642b9705d50644fd97dbc5a

SHA512
5a6cf7bc5166919032c39afbb984447e3401e2a8d2dc9129ee2330d7c9f81c43ad217c3bc23fe0ab0813883a1cdb94a48d50a848bfed74e6aecc28c5026e018d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\OyZMVOyYmqQyOLllma5.exe

Filesize
38KB

MD5
513821a3d4f9863d349cfb7dbe98511d

SHA1
79cf9e249f56363884a2ab26b05f71ca0b8a3411

SHA256
bf358c19600b990bb3b8804c1632224b6bdd67f6b642b9705d50644fd97dbc5a

SHA512
5a6cf7bc5166919032c39afbb984447e3401e2a8d2dc9129ee2330d7c9f81c43ad217c3bc23fe0ab0813883a1cdb94a48d50a848bfed74e6aecc28c5026e018d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\OyZMVOyYmqQyOLllma5.exe

Filesize
38KB

MD5
513821a3d4f9863d349cfb7dbe98511d

SHA1
79cf9e249f56363884a2ab26b05f71ca0b8a3411

SHA256
bf358c19600b990bb3b8804c1632224b6bdd67f6b642b9705d50644fd97dbc5a

SHA512
5a6cf7bc5166919032c39afbb984447e3401e2a8d2dc9129ee2330d7c9f81c43ad217c3bc23fe0ab0813883a1cdb94a48d50a848bfed74e6aecc28c5026e018d

Download Submit
memory/1016-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1320-88-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1364-83-0x0000000001020000-0x00000000010F8000-memory.dmp

Filesize
864KB

Download
memory/1364-62-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/1364-84-0x00000000003F0000-0x0000000000444000-memory.dmp

Filesize
336KB

Download
memory/1364-73-0x0000000000E00000-0x0000000000ED8000-memory.dmp

Filesize
864KB

Download
memory/1364-86-0x0000000000630000-0x0000000000633000-memory.dmp

Filesize
12KB

Download