agenttesla | e0086eee7d1ee35ecf7421113b9b13922ff6d040f2eca5130ac6e7f4c2b27b3d

General

Target

citat.exe
Size

424KB
MD5

e9567d62f6cbad2e5c23cc82f5f62377
SHA1

68803124332bf57b6f6a7cc9fad33d6feee8a48a
SHA256

fd26229099bd979d8cedf9b694ea9417a0b82dda9f17b218a1dd445015c47277
SHA512

2a87593eac99c22e35459ab6651d022b7530a60bca5ea130a3bf4faf3c60b306b8a64b469da6e137c45a5dd2d9dad6d0787c5caa59ebcc6d279aa15caec70139

Score

10^/10

agenttesla collection evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
SENEGAL12345

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1904-63-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1904-64-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1904-65-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1904-66-0x0000000000446D2E-mapping.dmp	family_agenttesla
behavioral1/memory/1904-70-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1904-68-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

citat.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	citat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	citat.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

citat.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	citat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	citat.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

citat.exe

description pid process target process

PID 1480 set thread context of 1904 1480 citat.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1968 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

1904 RegSvcs.exe
1904 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1904 RegSvcs.exe

description	pid	process	target process
PID 1480 set thread context of 1904	1480	citat.exe	RegSvcs.exe

pid	process
1968	schtasks.exe

pid	process
1904	RegSvcs.exe
1904	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1904	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

citat.exe

description	pid	process	target process
PID 1480 wrote to memory of 1968	1480	citat.exe	schtasks.exe
PID 1480 wrote to memory of 1968	1480	citat.exe	schtasks.exe
PID 1480 wrote to memory of 1968	1480	citat.exe	schtasks.exe
PID 1480 wrote to memory of 1968	1480	citat.exe	schtasks.exe
PID 1480 wrote to memory of 1904	1480	citat.exe	RegSvcs.exe
PID 1480 wrote to memory of 1904	1480	citat.exe	RegSvcs.exe
PID 1480 wrote to memory of 1904	1480	citat.exe	RegSvcs.exe
PID 1480 wrote to memory of 1904	1480	citat.exe	RegSvcs.exe
PID 1480 wrote to memory of 1904	1480	citat.exe	RegSvcs.exe
PID 1480 wrote to memory of 1904	1480	citat.exe	RegSvcs.exe
PID 1480 wrote to memory of 1904	1480	citat.exe	RegSvcs.exe
PID 1480 wrote to memory of 1904	1480	citat.exe	RegSvcs.exe
PID 1480 wrote to memory of 1904	1480	citat.exe	RegSvcs.exe
PID 1480 wrote to memory of 1904	1480	citat.exe	RegSvcs.exe
PID 1480 wrote to memory of 1904	1480	citat.exe	RegSvcs.exe
PID 1480 wrote to memory of 1904	1480	citat.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\citat.exe
"C:\Users\Admin\AppData\Local\Temp\citat.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqYhveSI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp"
2⤵
- Creates scheduled task(s)
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1904

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp
Filesize
1KB

MD5
53a1214a908aca082dc6dbf5f825b864

SHA1
5db654bfbe32a851ad714a5df3d696afe45ddb5f

SHA256
3ca1814014a6c4563332d9feb941cf96fd5acab027df7a0fda4c95c4510dae0b

SHA512
24b0f68c9366a79d2862370bed8a442b77ee0584a3d9d18e6e1bad8d857002551126d7a66d038478ffc066a289b5b07abe5effc8daaff7e9830d1faf1ff37057

Download Submit
memory/1480-55-0x0000000075871000-0x0000000075873000-memory.dmp

Filesize
8KB

Download
memory/1480-56-0x00000000003F0000-0x000000000040C000-memory.dmp

Filesize
112KB

Download
memory/1480-57-0x00000000007B0000-0x0000000000804000-memory.dmp

Filesize
336KB

Download
memory/1480-54-0x0000000000340000-0x00000000003B0000-memory.dmp

Filesize
448KB

Download
memory/1904-60-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1904-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1904-63-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1904-64-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1904-65-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1904-66-0x0000000000446D2E-mapping.dmp

Download
memory/1904-70-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1904-68-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1968-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads