agenttesla | a0690460355704ff1a35f16f907ed3d4af190b150e8579e70984c0ee484ece8c

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PEDIDO#4965832-pdf.exe
Size

766KB
MD5

cd53bb5a8efb8397089db59307b51406
SHA1

b6749766413cdd7a7c6b58bb1d596a6d4478e1a4
SHA256

d44272fe83f10383b50e8268ffe5f7f70e1c2b355363ccde038172f6a9eb5479
SHA512

5931d2c2966e2ca76ac307d4742acc2847da04bceaf02475e2d9bf0b3e081aeed4bb5caf2396a417bc3194cf6cda4c3d6b38538e75cb5a32a934e6ab62004f41

Score

10^/10

agenttesla agilenet collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/708-64-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla
behavioral1/memory/708-65-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla
behavioral1/memory/708-66-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla
behavioral1/memory/708-67-0x0000000000454DCE-mapping.dmp	family_agenttesla
behavioral1/memory/708-70-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla
behavioral1/memory/708-72-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

Processes:

RegAsm.exe

pid process

708 RegAsm.exe

pid	process
708	RegAsm.exe

Loads dropped DLL 8 IoCs

Processes:

PEDIDO#4965832-pdf.exeRegAsm.exeWerFault.exe

pid	process
960	PEDIDO#4965832-pdf.exe
960	PEDIDO#4965832-pdf.exe
708	RegAsm.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/960-56-0x0000000000300000-0x0000000000322000-memory.dmp	agile_net

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PEDIDO#4965832-pdf.exe

description pid process target process

PID 960 set thread context of 708 960 PEDIDO#4965832-pdf.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1984 708 WerFault.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

PEDIDO#4965832-pdf.exeRegAsm.exe

pid process

960 PEDIDO#4965832-pdf.exe
960 PEDIDO#4965832-pdf.exe
960 PEDIDO#4965832-pdf.exe
708 RegAsm.exe
708 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PEDIDO#4965832-pdf.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 960 PEDIDO#4965832-pdf.exe
Token: SeDebugPrivilege 708 RegAsm.exe

description	pid	process	target process
PID 960 set thread context of 708	960	PEDIDO#4965832-pdf.exe	RegAsm.exe

pid	pid_target	process	target process
1984	708	WerFault.exe	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	960	PEDIDO#4965832-pdf.exe
Token: SeDebugPrivilege	708	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

PEDIDO#4965832-pdf.exeRegAsm.exe

description	pid	process	target process
PID 960 wrote to memory of 708	960	PEDIDO#4965832-pdf.exe	RegAsm.exe
PID 960 wrote to memory of 708	960	PEDIDO#4965832-pdf.exe	RegAsm.exe
PID 960 wrote to memory of 708	960	PEDIDO#4965832-pdf.exe	RegAsm.exe
PID 960 wrote to memory of 708	960	PEDIDO#4965832-pdf.exe	RegAsm.exe
PID 960 wrote to memory of 708	960	PEDIDO#4965832-pdf.exe	RegAsm.exe
PID 960 wrote to memory of 708	960	PEDIDO#4965832-pdf.exe	RegAsm.exe
PID 960 wrote to memory of 708	960	PEDIDO#4965832-pdf.exe	RegAsm.exe
PID 960 wrote to memory of 708	960	PEDIDO#4965832-pdf.exe	RegAsm.exe
PID 960 wrote to memory of 708	960	PEDIDO#4965832-pdf.exe	RegAsm.exe
PID 960 wrote to memory of 708	960	PEDIDO#4965832-pdf.exe	RegAsm.exe
PID 960 wrote to memory of 708	960	PEDIDO#4965832-pdf.exe	RegAsm.exe
PID 960 wrote to memory of 708	960	PEDIDO#4965832-pdf.exe	RegAsm.exe
PID 708 wrote to memory of 1984	708	RegAsm.exe	WerFault.exe
PID 708 wrote to memory of 1984	708	RegAsm.exe	WerFault.exe
PID 708 wrote to memory of 1984	708	RegAsm.exe	WerFault.exe
PID 708 wrote to memory of 1984	708	RegAsm.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\PEDIDO#4965832-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PEDIDO#4965832-pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 1088
3⤵
- Loads dropped DLL
- Program crash
PID:1984

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/708-64-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/708-65-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/708-61-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/708-67-0x0000000000454DCE-mapping.dmp

Download
memory/708-70-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/708-72-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/708-62-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/708-66-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/960-58-0x00000000746A0000-0x0000000074720000-memory.dmp

Filesize
512KB

Download
memory/960-55-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/960-56-0x0000000000300000-0x0000000000322000-memory.dmp

Filesize
136KB

Download
memory/960-54-0x0000000001080000-0x0000000001146000-memory.dmp

Filesize
792KB

Download
memory/960-59-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/1984-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads