agenttesla | 546b99166b206cd4a3db89b8e97579919a85e98d281632a2b6f5118f1bf5eaac

General

Target

Purchase Order.exe
Size

716KB
MD5

e5f74fba39a57d9e8f42b3073447b283
SHA1

429ab9b34e3cfadce00baf207f4a2a87666785de
SHA256

4282ae23bf6e1a962085b045a712056a9d98c1e03d9d77c6a226d3fc7ed89776
SHA512

f1754b72140111d0241720407d05e1e610ff08aad96289f2af51461d3ad1e7e0d4741ad7b28724e531a6195969a0105380b982d5509c52a98bb44ae85d95924e

Score

10^/10

agenttesla collection evasion keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.acmasindia.com
Port:
587
Username:
[email protected]
Password:
7R?_e#f.wLob

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.acmasindia.com
Port:
587
Username:
[email protected]
Password:
7R?_e#f.wLob

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2252-144-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Disables Task Manager via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

Purchase Order.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Purchase Order.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Purchase Order.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Purchase Order.exePurchase Order.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Purchase Order.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Purchase Order.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Purchase Order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Purchase Order.exePurchase Order.exe

description	pid	process	target process
PID 1820 set thread context of 4420	1820	Purchase Order.exe	Purchase Order.exe
PID 4420 set thread context of 2252	4420	Purchase Order.exe	Purchase Order.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3376 schtasks.exe
428 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

4600 REG.exe

pid	process
3376	schtasks.exe
428	schtasks.exe

pid	process
4600	REG.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Purchase Order.exePurchase Order.exePurchase Order.exe

pid	process
1820	Purchase Order.exe
1820	Purchase Order.exe
1820	Purchase Order.exe
1820	Purchase Order.exe
1820	Purchase Order.exe
1820	Purchase Order.exe
4420	Purchase Order.exe
2252	Purchase Order.exe
2252	Purchase Order.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Purchase Order.exePurchase Order.exePurchase Order.exe

description	pid	process
Token: SeDebugPrivilege	1820	Purchase Order.exe
Token: SeDebugPrivilege	4420	Purchase Order.exe
Token: SeDebugPrivilege	2252	Purchase Order.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

Purchase Order.exePurchase Order.exePurchase Order.exe

description	pid	process	target process
PID 1820 wrote to memory of 3376	1820	Purchase Order.exe	schtasks.exe
PID 1820 wrote to memory of 3376	1820	Purchase Order.exe	schtasks.exe
PID 1820 wrote to memory of 3376	1820	Purchase Order.exe	schtasks.exe
PID 1820 wrote to memory of 4824	1820	Purchase Order.exe	Purchase Order.exe
PID 1820 wrote to memory of 4824	1820	Purchase Order.exe	Purchase Order.exe
PID 1820 wrote to memory of 4824	1820	Purchase Order.exe	Purchase Order.exe
PID 1820 wrote to memory of 4420	1820	Purchase Order.exe	Purchase Order.exe
PID 1820 wrote to memory of 4420	1820	Purchase Order.exe	Purchase Order.exe
PID 1820 wrote to memory of 4420	1820	Purchase Order.exe	Purchase Order.exe
PID 1820 wrote to memory of 4420	1820	Purchase Order.exe	Purchase Order.exe
PID 1820 wrote to memory of 4420	1820	Purchase Order.exe	Purchase Order.exe
PID 1820 wrote to memory of 4420	1820	Purchase Order.exe	Purchase Order.exe
PID 1820 wrote to memory of 4420	1820	Purchase Order.exe	Purchase Order.exe
PID 1820 wrote to memory of 4420	1820	Purchase Order.exe	Purchase Order.exe
PID 4420 wrote to memory of 428	4420	Purchase Order.exe	schtasks.exe
PID 4420 wrote to memory of 428	4420	Purchase Order.exe	schtasks.exe
PID 4420 wrote to memory of 428	4420	Purchase Order.exe	schtasks.exe
PID 4420 wrote to memory of 2252	4420	Purchase Order.exe	Purchase Order.exe
PID 4420 wrote to memory of 2252	4420	Purchase Order.exe	Purchase Order.exe
PID 4420 wrote to memory of 2252	4420	Purchase Order.exe	Purchase Order.exe
PID 4420 wrote to memory of 2252	4420	Purchase Order.exe	Purchase Order.exe
PID 4420 wrote to memory of 2252	4420	Purchase Order.exe	Purchase Order.exe
PID 4420 wrote to memory of 2252	4420	Purchase Order.exe	Purchase Order.exe
PID 4420 wrote to memory of 2252	4420	Purchase Order.exe	Purchase Order.exe
PID 4420 wrote to memory of 2252	4420	Purchase Order.exe	Purchase Order.exe
PID 2252 wrote to memory of 4600	2252	Purchase Order.exe	REG.exe
PID 2252 wrote to memory of 4600	2252	Purchase Order.exe	REG.exe
PID 2252 wrote to memory of 4600	2252	Purchase Order.exe	REG.exe
PID 2252 wrote to memory of 4592	2252	Purchase Order.exe	netsh.exe
PID 2252 wrote to memory of 4592	2252	Purchase Order.exe	netsh.exe
PID 2252 wrote to memory of 4592	2252	Purchase Order.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

Purchase Order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order.exe

outlook_win_path 1 IoCs

Processes:

Purchase Order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bTbkBcUE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp764E.tmp"
2⤵
- Creates scheduled task(s)
PID:3376

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"{path}"
2⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"{path}"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\izubZbilc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B6E.tmp"
3⤵
- Creates scheduled task(s)
PID:428

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"{path}"
3⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2252

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:4600

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
4⤵
PID:4592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log
Filesize
1KB

MD5
400f1cc1a0a0ce1cdabda365ab3368ce

SHA1
1ecf683f14271d84f3b6063493dce00ff5f42075

SHA256
c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

SHA512
14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp764E.tmp
Filesize
1KB

MD5
cdc6f0cbd784cc7831bbdc51f558cde1

SHA1
4df7d8bbadf20d64986858fab3ff6ba8f8a910c1

SHA256
0119363381c3c5865908d224064b4480bc535a4346f2b774ce92a9d372cda2fa

SHA512
36eb743cf47297ae15b0c6a2e5afe848506bc1a9db56cbeb16cafa88effd3c01c0abf40f80b2f931fccee202cfba46e69f75c12fe413d7e81532c0b105010e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B6E.tmp
Filesize
1KB

MD5
7e68f860df61c4225e090f59ce17c8d0

SHA1
220bcbaed2f38c84621589b94ebbdf000f419ba1

SHA256
b93f4971d54726985e4450f4f24932e8ff6905131524b26fafdc2754b874d8a8

SHA512
d5cf6da34a8fa626aa14ce9a96201a804daeb33a4d35abf551490fd8449ad70a82a3818276550613d0da6a2aca0c9ae10cb47c6bbb5144d5ba6b99922ec238b1

Download Submit
memory/428-141-0x0000000000000000-mapping.dmp

Download
memory/1820-134-0x0000000009000000-0x000000000909C000-memory.dmp

Filesize
624KB

Download
memory/1820-133-0x0000000005970000-0x000000000597A000-memory.dmp

Filesize
40KB

Download
memory/1820-130-0x0000000000AD0000-0x0000000000B8A000-memory.dmp

Filesize
744KB

Download
memory/1820-131-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/1820-132-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/2252-144-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2252-143-0x0000000000000000-mapping.dmp

Download
memory/2252-145-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/2252-147-0x00000000068C0000-0x0000000006910000-memory.dmp

Filesize
320KB

Download
memory/3376-135-0x0000000000000000-mapping.dmp

Download
memory/4420-139-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4420-138-0x0000000000000000-mapping.dmp

Download
memory/4592-148-0x0000000000000000-mapping.dmp

Download
memory/4600-146-0x0000000000000000-mapping.dmp

Download
memory/4824-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads