agenttesla | e0086eee7d1ee35ecf7421113b9b13922ff6d040f2eca5130ac6e7f4c2b27b3d

General

Target

citat.exe
Size

424KB
MD5

e9567d62f6cbad2e5c23cc82f5f62377
SHA1

68803124332bf57b6f6a7cc9fad33d6feee8a48a
SHA256

fd26229099bd979d8cedf9b694ea9417a0b82dda9f17b218a1dd445015c47277
SHA512

2a87593eac99c22e35459ab6651d022b7530a60bca5ea130a3bf4faf3c60b306b8a64b469da6e137c45a5dd2d9dad6d0787c5caa59ebcc6d279aa15caec70139

Score

10^/10

agenttesla collection evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
SENEGAL12345

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5036-139-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

citat.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	citat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	citat.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

citat.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation citat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	citat.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

citat.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	citat.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	citat.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

citat.exe

description pid process target process

PID 4624 set thread context of 5036 4624 citat.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

944 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

citat.exeRegSvcs.exe

pid process

4624 citat.exe
5036 RegSvcs.exe
5036 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

citat.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 4624 citat.exe
Token: SeDebugPrivilege 5036 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

5036 RegSvcs.exe

description	pid	process	target process
PID 4624 set thread context of 5036	4624	citat.exe	RegSvcs.exe

pid	process
944	schtasks.exe

pid	process
4624	citat.exe
5036	RegSvcs.exe
5036	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4624	citat.exe
Token: SeDebugPrivilege	5036	RegSvcs.exe

pid	process
5036	RegSvcs.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

citat.exe

description	pid	process	target process
PID 4624 wrote to memory of 944	4624	citat.exe	schtasks.exe
PID 4624 wrote to memory of 944	4624	citat.exe	schtasks.exe
PID 4624 wrote to memory of 944	4624	citat.exe	schtasks.exe
PID 4624 wrote to memory of 5036	4624	citat.exe	RegSvcs.exe
PID 4624 wrote to memory of 5036	4624	citat.exe	RegSvcs.exe
PID 4624 wrote to memory of 5036	4624	citat.exe	RegSvcs.exe
PID 4624 wrote to memory of 5036	4624	citat.exe	RegSvcs.exe
PID 4624 wrote to memory of 5036	4624	citat.exe	RegSvcs.exe
PID 4624 wrote to memory of 5036	4624	citat.exe	RegSvcs.exe
PID 4624 wrote to memory of 5036	4624	citat.exe	RegSvcs.exe
PID 4624 wrote to memory of 5036	4624	citat.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\citat.exe
"C:\Users\Admin\AppData\Local\Temp\citat.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqYhveSI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F2E.tmp"
2⤵
- Creates scheduled task(s)
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:5036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2F2E.tmp

Filesize
1KB

MD5
019653f0e0c2f88aac731e2d07d1cbeb

SHA1
c5a11b2b03fb710924b92e2f97721e804ef0198a

SHA256
104cd87f6d1876228bd0ff21220ef7c713187b5e77da8f827346c1022fa81055

SHA512
0d3d379213a233804d91544a5d34334e5f9bf010c8c21091405febc768b6435962233a0283c09f4a38c2c896cbc0c8b629f2d276607908d1e68f7c08d6b9c970

Download Submit
memory/944-136-0x0000000000000000-mapping.dmp

Download
memory/4624-130-0x0000000000DB0000-0x0000000000E20000-memory.dmp

Filesize
448KB

Download
memory/4624-131-0x0000000005C00000-0x00000000061A4000-memory.dmp

Filesize
5.6MB

Download
memory/4624-132-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/4624-133-0x0000000005690000-0x000000000569A000-memory.dmp

Filesize
40KB

Download
memory/4624-134-0x0000000008030000-0x00000000080CC000-memory.dmp

Filesize
624KB

Download
memory/4624-135-0x00000000081D0000-0x0000000008236000-memory.dmp

Filesize
408KB

Download
memory/5036-138-0x0000000000000000-mapping.dmp

Download
memory/5036-139-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5036-140-0x0000000006B60000-0x0000000006BB0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads