agenttesla | 52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95

Analysis

max time kernel
123s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe
Size

365KB
MD5

00019d1f3a3a41d8ccc18add05089cbc
SHA1

42cf65b7ab2db8393eb49bda857335fc247b0810
SHA256

52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95
SHA512

179a4d583695ca50722ba8d51399388c2bf3faf6616146390591f826881d8aabf83b7b756d627e4c2c6793ab03dc1140fc9554f70ddf82d22196952e7819795d

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.wepmill.website
Port:
587
Username:
[email protected]
Password:
~@Sp$wQecPDi***

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1340-151-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

pid	Process
716	OyZMVOyYmqQyOLllma5.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OUKelVva = "C:\\Users\\Admin\\AppData\\Roaming\\KgJSxcb\\rjYvA.exe"	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 716 set thread context of 1340	716	OyZMVOyYmqQyOLllma5.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1340	RegAsm.exe
1340	RegAsm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
716	OyZMVOyYmqQyOLllma5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1340	RegAsm.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 716	1068	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe	79
PID 1068 wrote to memory of 716	1068	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe	79
PID 1068 wrote to memory of 716	1068	52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe	79
PID 716 wrote to memory of 4852	716	OyZMVOyYmqQyOLllma5.exe	82
PID 716 wrote to memory of 4852	716	OyZMVOyYmqQyOLllma5.exe	82
PID 716 wrote to memory of 4852	716	OyZMVOyYmqQyOLllma5.exe	82
PID 4852 wrote to memory of 2476	4852	csc.exe	86
PID 4852 wrote to memory of 2476	4852	csc.exe	86
PID 4852 wrote to memory of 2476	4852	csc.exe	86
PID 716 wrote to memory of 2448	716	OyZMVOyYmqQyOLllma5.exe	87
PID 716 wrote to memory of 2448	716	OyZMVOyYmqQyOLllma5.exe	87
PID 716 wrote to memory of 2448	716	OyZMVOyYmqQyOLllma5.exe	87
PID 2448 wrote to memory of 2752	2448	csc.exe	89
PID 2448 wrote to memory of 2752	2448	csc.exe	89
PID 2448 wrote to memory of 2752	2448	csc.exe	89
PID 716 wrote to memory of 1340	716	OyZMVOyYmqQyOLllma5.exe	91
PID 716 wrote to memory of 1340	716	OyZMVOyYmqQyOLllma5.exe	91
PID 716 wrote to memory of 1340	716	OyZMVOyYmqQyOLllma5.exe	91
PID 716 wrote to memory of 1340	716	OyZMVOyYmqQyOLllma5.exe	91

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe
"C:\Users\Admin\AppData\Local\Temp\52bc095ec68462b1d5200109724d3c8f9ceccab258e5f14031feeb7b4be85f95.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OyZMVOyYmqQyOLllma5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OyZMVOyYmqQyOLllma5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fbbedjxw\fbbedjxw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB5E.tmp" "c:\Users\Admin\AppData\Local\Temp\fbbedjxw\CSCAA7E234061F4BC399A7A3196673F151.TMP"
      4⤵
      PID:2476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\puopbnaf\puopbnaf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEC9.tmp" "c:\Users\Admin\AppData\Local\Temp\puopbnaf\CSC33757E24C6FF4575B994D69DEA53DEF3.TMP"
      4⤵
      PID:2752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OyZMVOyYmqQyOLllm

Filesize
1.2MB

MD5
ff09d0164efc5f51e802232c3eb85d2a

SHA1
746c4c3cb80858f278a9f58e18cdbb43c283669f

SHA256
ad408dcf35be1bd6bfda04a58d6fb3acdc86a364df3736c5dec134e52737ffa3

SHA512
724216619eee3be1e29ea52f01120a13021038014a4b877a2c01969e548e72f1be735320e0d5767301ffcf7566fa7f2d3b26721e6f89fd0e3f88e7e9ae112801

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OyZMVOyYmqQyOLllma5.exe

Filesize
38KB

MD5
513821a3d4f9863d349cfb7dbe98511d

SHA1
79cf9e249f56363884a2ab26b05f71ca0b8a3411

SHA256
bf358c19600b990bb3b8804c1632224b6bdd67f6b642b9705d50644fd97dbc5a

SHA512
5a6cf7bc5166919032c39afbb984447e3401e2a8d2dc9129ee2330d7c9f81c43ad217c3bc23fe0ab0813883a1cdb94a48d50a848bfed74e6aecc28c5026e018d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OyZMVOyYmqQyOLllma5.exe

Filesize
38KB

MD5
513821a3d4f9863d349cfb7dbe98511d

SHA1
79cf9e249f56363884a2ab26b05f71ca0b8a3411

SHA256
bf358c19600b990bb3b8804c1632224b6bdd67f6b642b9705d50644fd97dbc5a

SHA512
5a6cf7bc5166919032c39afbb984447e3401e2a8d2dc9129ee2330d7c9f81c43ad217c3bc23fe0ab0813883a1cdb94a48d50a848bfed74e6aecc28c5026e018d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB5E.tmp

Filesize
1KB

MD5
625b775aec991dcb980a8974bc7f9867

SHA1
50111e6ab79536e788f8ae70686a106bda4264da

SHA256
5f1f669358ca5abc2069a9ae66d61a4171a9e18afcb84389cb1866d183606b00

SHA512
66bad49fa6d3755224b4daad99448914948c65e091bc362dccab999d76f8bcaa74f607376b61fa50923af060659e4ae847af1dc775a3b5910832a243ae885927

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCEC9.tmp

Filesize
1KB

MD5
49bf9b1cfe23957cc3205ca96ffa836d

SHA1
f9f0fdac49a563f9c85831ddb3a0408ec1ef5626

SHA256
e2db99cb5a533c92870fdc9556d0ea93b20d9fc23d22d5d24cb418214d9b3139

SHA512
e4775623ae645c08d3e476a402ea9f6cdc921a98c24fbdaa45356fe6aef6e3e91b8b51ef0ea3178145f6511d3edf79365432a4952a2cca1b4492afd14d27f393

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbbedjxw\fbbedjxw.dll

Filesize
839KB

MD5
31463a5ede59ff2a1ced30bc548b2e3f

SHA1
0381488c2d5c591949e8de2e3e05d9f2551a7e6a

SHA256
2d121d70cb6eebd50b0ca71040a5fcc7917c7ba06441f3988b82cfc9d55a4e7d

SHA512
bd755e03f51af063badd6dfc62affcc668254e3103398b81f5b96e8dc6f267479d6d6d8672352438bd10959e401c95e9fdca046cce5c63239179994556f7575a

Download Submit
C:\Users\Admin\AppData\Local\Temp\puopbnaf\puopbnaf.dll

Filesize
839KB

MD5
3ecf41e63944a923e37d6f9e71c08c6e

SHA1
6cb0eb01f9831a0a665c92c493dbfea8c8648da0

SHA256
5fb421a3219a0227acabe8d54e2bd0784ab49c89400b1b8cbf9e6c7cc40902a3

SHA512
bca6c445a0d1fb0dc4ef7d5310681e4b4ae4acf4f24559d0271d361e681cdcfa4f6ce3f92c0d6209e8216b2c13132bd151248255e6f44997ae5e971d967d248b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fbbedjxw\CSCAA7E234061F4BC399A7A3196673F151.TMP

Filesize
652B

MD5
75c2b2b9198dcffadd126b6ebce8830b

SHA1
0896f4c9607ba7c997cbcaa1c52c6ddf70a825bd

SHA256
a8227edd8013210e3df865c27d7a4011e3be2bd6bec9e65d7a49cbfb8af9a7fa

SHA512
474e139a6ecb2c5ee777465ab51c0198cc91d2afec00a75d7742485d763046b699956837b40d16dc55c7ecd797790e07d54ab27c9d972d3151a2cd2ba8b5e515

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fbbedjxw\fbbedjxw.0.cs

Filesize
1.2MB

MD5
a0352bbc3752a5448c80b91f043fe640

SHA1
570cc00e89bda534252f908977f7eddf9906f27a

SHA256
a7280cff8bc8efb0dc2814751d36dacc2ee1e078723012aae73474a7d778616c

SHA512
a0d44fe841e4669399e2f6bd96e55fbae19bad8df0195258ddbd95ce4d8742da318d02f96a8b8f9ceb00cc1e761c3f7f0eb52bbd98a324b68fb4360618275fa0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fbbedjxw\fbbedjxw.cmdline

Filesize
302B

MD5
a9bb6ea4abebcc864f9157533752113a

SHA1
fc1591ed5068ea217f06e9e940b3e6b92835d9c2

SHA256
c41cc87ada2f5119bae7c06241d839efab6a111e0c07e0f38d1ae2dd7114eca0

SHA512
f98c66943d2f4a74f616f17dbe459d75cc134db89cb715c8ebd7eafa4cc678786f38c3da6dc6d47bbf0fb8987d9a8c0629b41723db984eaad0ced7367143af2d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\puopbnaf\CSC33757E24C6FF4575B994D69DEA53DEF3.TMP

Filesize
652B

MD5
e20182e491b04778afd624cc97149f60

SHA1
fbe7e8e66850d0473dd188b0cf74f1f635ed464a

SHA256
17b807f6688d9fee28d4e741f07487dc192c37b4427b4d92567a031df7b74b2d

SHA512
6bd9105cb5fc62ef44babcd59429c700732527f76959d32678bc8579873e9e147011157e4b399bb0eb0b3814e0ac8ce5d65a4a4663f550fc242c3441e9ab8854

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\puopbnaf\puopbnaf.0.cs

Filesize
1.2MB

MD5
a0352bbc3752a5448c80b91f043fe640

SHA1
570cc00e89bda534252f908977f7eddf9906f27a

SHA256
a7280cff8bc8efb0dc2814751d36dacc2ee1e078723012aae73474a7d778616c

SHA512
a0d44fe841e4669399e2f6bd96e55fbae19bad8df0195258ddbd95ce4d8742da318d02f96a8b8f9ceb00cc1e761c3f7f0eb52bbd98a324b68fb4360618275fa0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\puopbnaf\puopbnaf.cmdline

Filesize
302B

MD5
735ba21b3f335da5129c7a7aabd5b226

SHA1
bde6dcf01e1d76cfafbf3cf1a13b7d1ecb8f3276

SHA256
b98169f2aab90c30a32eaa20cc4c539ac3e0982f80e1fce7fea8ac949421b701

SHA512
cc35583cdecf280d633819f18c8b78d1ef1d0d2aad28b03e3637dc6572c596c9e98cecb5bab486dbb1ea6fd2cdf0bf5c3428ba2b84ce9341305c12a83fcb554d

Download Submit
memory/716-133-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/716-150-0x0000000002E90000-0x0000000002E93000-memory.dmp

Filesize
12KB

Download
memory/1340-153-0x0000000004F30000-0x0000000004FC2000-memory.dmp

Filesize
584KB

Download
memory/1340-151-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1340-152-0x0000000005740000-0x0000000005CE4000-memory.dmp

Filesize
5.6MB

Download
memory/1340-154-0x00000000050C0000-0x000000000515C000-memory.dmp

Filesize
624KB

Download
memory/1340-155-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/1340-156-0x0000000006470000-0x000000000647A000-memory.dmp

Filesize
40KB

Download