agenttesla | 114715fd595f921a2f53432580cb26c0701889a261f27898c3adb5fcd3c85d77

General

Target

DHL Tracer.exe
Size

476KB
MD5

f927ffcebf123c54c24b69a9f9f54d95
SHA1

e41b24b92d2888b300f2b83914b2c2c2a35da5b4
SHA256

098081d46fdcd470aec4d1e75d2adeb27af1e7cb8c4930ce21e3b1ea781a8df2
SHA512

088623d18d34cac2d73026756b38ee8d4a4de47084c4db8a8b002010e11e211f8ed4e66bf7498cd3c26731151f1dc91d71182795ac342cba59c67118f595abd7

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Mummy212

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3156-134-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKUgjc = "C:\\Users\\Admin\\AppData\\Roaming\\LKUgjc\\LKUgjc.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL Tracer.exe

description pid process target process

PID 3144 set thread context of 3156 3144 DHL Tracer.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

DHL Tracer.exeRegSvcs.exe

pid process

3144 DHL Tracer.exe
3144 DHL Tracer.exe
3144 DHL Tracer.exe
3144 DHL Tracer.exe
3156 RegSvcs.exe
3156 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DHL Tracer.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 3144 DHL Tracer.exe
Token: SeDebugPrivilege 3156 RegSvcs.exe

description	pid	process	target process
PID 3144 set thread context of 3156	3144	DHL Tracer.exe	RegSvcs.exe

pid	process
3144	DHL Tracer.exe
3144	DHL Tracer.exe
3144	DHL Tracer.exe
3144	DHL Tracer.exe
3156	RegSvcs.exe
3156	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3144	DHL Tracer.exe
Token: SeDebugPrivilege	3156	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

DHL Tracer.exeRegSvcs.exe

description	pid	process	target process
PID 3144 wrote to memory of 1992	3144	DHL Tracer.exe	RegSvcs.exe
PID 3144 wrote to memory of 1992	3144	DHL Tracer.exe	RegSvcs.exe
PID 3144 wrote to memory of 1992	3144	DHL Tracer.exe	RegSvcs.exe
PID 3144 wrote to memory of 4072	3144	DHL Tracer.exe	RegSvcs.exe
PID 3144 wrote to memory of 4072	3144	DHL Tracer.exe	RegSvcs.exe
PID 3144 wrote to memory of 4072	3144	DHL Tracer.exe	RegSvcs.exe
PID 3144 wrote to memory of 3156	3144	DHL Tracer.exe	RegSvcs.exe
PID 3144 wrote to memory of 3156	3144	DHL Tracer.exe	RegSvcs.exe
PID 3144 wrote to memory of 3156	3144	DHL Tracer.exe	RegSvcs.exe
PID 3144 wrote to memory of 3156	3144	DHL Tracer.exe	RegSvcs.exe
PID 3144 wrote to memory of 3156	3144	DHL Tracer.exe	RegSvcs.exe
PID 3144 wrote to memory of 3156	3144	DHL Tracer.exe	RegSvcs.exe
PID 3144 wrote to memory of 3156	3144	DHL Tracer.exe	RegSvcs.exe
PID 3144 wrote to memory of 3156	3144	DHL Tracer.exe	RegSvcs.exe
PID 3156 wrote to memory of 1744	3156	RegSvcs.exe	netsh.exe
PID 3156 wrote to memory of 1744	3156	RegSvcs.exe	netsh.exe
PID 3156 wrote to memory of 1744	3156	RegSvcs.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\DHL Tracer.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Tracer.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
PID:1992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
PID:4072

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3156

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1744-136-0x0000000000000000-mapping.dmp

Download
memory/1992-131-0x0000000000000000-mapping.dmp

Download
memory/3144-130-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/3156-133-0x0000000000000000-mapping.dmp

Download
memory/3156-134-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3156-135-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4072-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads