agenttesla | 8ffedf5e468337d6420f1f3f701222dd2578474ebb2efbd545430560558b12d3

General

Target

ORDER NO. DC08021.exe
Size

693KB
MD5

d45c4fed12f1ff0cc6332b1141d0b435
SHA1

3ef534d2d63cc3e13c99fedebe980f52ff05ee38
SHA256

7d45448bfe8b015e4c529ea7c1898c7a311d8ce42eb208957113735c5b750335
SHA512

00059cbbb1f88bde4c3860c40a822e35e93128e91cb889ffeb03745dae7b7a1a8bd472b086f1abfc2567392137080fa15c65ee031c1ada6a3c0e112a6b3f326c

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.kohinoorribbon.com
Port:
587
Username:
[email protected]
Password:
ashu@1976

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1440-61-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1440-62-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1440-63-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1440-64-0x000000000044731E-mapping.dmp	family_agenttesla
behavioral1/memory/1440-66-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1440-68-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ORDER NO. DC08021.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ORDER NO. DC08021.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ORDER NO. DC08021.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ORDER NO. DC08021.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ORDER NO. DC08021.exe

description pid process target process

PID 884 set thread context of 1440 884 ORDER NO. DC08021.exe ORDER NO. DC08021.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2004 schtasks.exe

description	pid	process	target process
PID 884 set thread context of 1440	884	ORDER NO. DC08021.exe	ORDER NO. DC08021.exe

pid	process
2004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

ORDER NO. DC08021.exeORDER NO. DC08021.exe

pid	process
884	ORDER NO. DC08021.exe
884	ORDER NO. DC08021.exe
884	ORDER NO. DC08021.exe
884	ORDER NO. DC08021.exe
884	ORDER NO. DC08021.exe
884	ORDER NO. DC08021.exe
1440	ORDER NO. DC08021.exe
1440	ORDER NO. DC08021.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ORDER NO. DC08021.exeORDER NO. DC08021.exe

description pid process

Token: SeDebugPrivilege 884 ORDER NO. DC08021.exe
Token: SeDebugPrivilege 1440 ORDER NO. DC08021.exe

description	pid	process
Token: SeDebugPrivilege	884	ORDER NO. DC08021.exe
Token: SeDebugPrivilege	1440	ORDER NO. DC08021.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

ORDER NO. DC08021.exe

description	pid	process	target process
PID 884 wrote to memory of 2004	884	ORDER NO. DC08021.exe	schtasks.exe
PID 884 wrote to memory of 2004	884	ORDER NO. DC08021.exe	schtasks.exe
PID 884 wrote to memory of 2004	884	ORDER NO. DC08021.exe	schtasks.exe
PID 884 wrote to memory of 2004	884	ORDER NO. DC08021.exe	schtasks.exe
PID 884 wrote to memory of 1956	884	ORDER NO. DC08021.exe	ORDER NO. DC08021.exe
PID 884 wrote to memory of 1956	884	ORDER NO. DC08021.exe	ORDER NO. DC08021.exe
PID 884 wrote to memory of 1956	884	ORDER NO. DC08021.exe	ORDER NO. DC08021.exe
PID 884 wrote to memory of 1956	884	ORDER NO. DC08021.exe	ORDER NO. DC08021.exe
PID 884 wrote to memory of 1440	884	ORDER NO. DC08021.exe	ORDER NO. DC08021.exe
PID 884 wrote to memory of 1440	884	ORDER NO. DC08021.exe	ORDER NO. DC08021.exe
PID 884 wrote to memory of 1440	884	ORDER NO. DC08021.exe	ORDER NO. DC08021.exe
PID 884 wrote to memory of 1440	884	ORDER NO. DC08021.exe	ORDER NO. DC08021.exe
PID 884 wrote to memory of 1440	884	ORDER NO. DC08021.exe	ORDER NO. DC08021.exe
PID 884 wrote to memory of 1440	884	ORDER NO. DC08021.exe	ORDER NO. DC08021.exe
PID 884 wrote to memory of 1440	884	ORDER NO. DC08021.exe	ORDER NO. DC08021.exe
PID 884 wrote to memory of 1440	884	ORDER NO. DC08021.exe	ORDER NO. DC08021.exe
PID 884 wrote to memory of 1440	884	ORDER NO. DC08021.exe	ORDER NO. DC08021.exe

outlook_office_path 1 IoCs

Processes:

ORDER NO. DC08021.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ORDER NO. DC08021.exe

outlook_win_path 1 IoCs

Processes:

ORDER NO. DC08021.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ORDER NO. DC08021.exe

C:\Users\Admin\AppData\Local\Temp\ORDER NO. DC08021.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER NO. DC08021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1527.tmp"
2⤵
- Creates scheduled task(s)
PID:2004

C:\Users\Admin\AppData\Local\Temp\ORDER NO. DC08021.exe
"{path}"
2⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\ORDER NO. DC08021.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1527.tmp

Filesize
1KB

MD5
ab15c7fe3dc23f51a8ed4545eb54a9cb

SHA1
206a5e711a5b8819deae10c568fa760a23d9308c

SHA256
2889f7b15e75b474bfa37c720f216861f138e8e39e1d2f807ce751a21086674b

SHA512
29b8f09dfa625fad63d6cae0fd9d9f9ea19a4b5a001138c5afb644c0d37f1cc2e7bf51a4242af433568b22b19613b1570a234474663cc659dd4ad54c7407a114

Download Submit
memory/884-55-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/884-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1440-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1440-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1440-58-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1440-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1440-63-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1440-64-0x000000000044731E-mapping.dmp

Download
memory/1440-66-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1440-68-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1440-70-0x00000000749C0000-0x0000000074F6B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads