agenttesla | a6c02f2acd8af8b895519d6e064c950d47d33770a539484353d129fa555fda43

General

Target

Technical Details.exe
Size

427KB
MD5

f45b90ee156fcebbc41ee694e8714141
SHA1

a01e32250e4ae6096716b88ef1a81a936f5be413
SHA256

9bf584f64af278fb0a7afd8aa15c460e19e3263388bc896284712c7a07426eeb
SHA512

ab002fcc34b68f6670fa02257392e16327ee7ab6afa3da6988c24ebcf0607abae613f223cb58dff8ab9cc6c90bba112d0361496428492cbbcf9cd200fa009e64

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
privateemail.com
Port:
587
Username:
[email protected]
Password:
@damienzy.xyz2240

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4388-138-0x0000000000400000-0x000000000044A000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Technical Details.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Technical Details.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Technical Details.exe

description pid process target process

PID 548 set thread context of 4388 548 Technical Details.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4588 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Technical Details.exeRegSvcs.exe

pid process

548 Technical Details.exe
4388 RegSvcs.exe
4388 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Technical Details.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 548 Technical Details.exe
Token: SeDebugPrivilege 4388 RegSvcs.exe

description	pid	process	target process
PID 548 set thread context of 4388	548	Technical Details.exe	RegSvcs.exe

pid	process
4588	schtasks.exe

pid	process
548	Technical Details.exe
4388	RegSvcs.exe
4388	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	548	Technical Details.exe
Token: SeDebugPrivilege	4388	RegSvcs.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Technical Details.exe

description	pid	process	target process
PID 548 wrote to memory of 4588	548	Technical Details.exe	schtasks.exe
PID 548 wrote to memory of 4588	548	Technical Details.exe	schtasks.exe
PID 548 wrote to memory of 4588	548	Technical Details.exe	schtasks.exe
PID 548 wrote to memory of 4388	548	Technical Details.exe	RegSvcs.exe
PID 548 wrote to memory of 4388	548	Technical Details.exe	RegSvcs.exe
PID 548 wrote to memory of 4388	548	Technical Details.exe	RegSvcs.exe
PID 548 wrote to memory of 4388	548	Technical Details.exe	RegSvcs.exe
PID 548 wrote to memory of 4388	548	Technical Details.exe	RegSvcs.exe
PID 548 wrote to memory of 4388	548	Technical Details.exe	RegSvcs.exe
PID 548 wrote to memory of 4388	548	Technical Details.exe	RegSvcs.exe
PID 548 wrote to memory of 4388	548	Technical Details.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Technical Details.exe
"C:\Users\Admin\AppData\Local\Temp\Technical Details.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jWnDUGZhALZVGq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp"
2⤵
- Creates scheduled task(s)
PID:4588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp
Filesize
1KB

MD5
b622caea737a70a31738516a7082e6a4

SHA1
3cc8bc98b39957f6b0db6a53a28964c57f7fc049

SHA256
f821e7af26ceb81c018c42c95fa2bb062b14c8a478c0dc14b385a61d660034f7

SHA512
97baedaf4cde65cf682b3d03c127f0db9019e962dd3c4d0970286c03e1c76734b52c9878e7cfd712f65c420893795cb966e443a77d6fb40be18babd151c27553

Download Submit
memory/548-130-0x0000000000670000-0x00000000006E2000-memory.dmp

Filesize
456KB

Download
memory/548-131-0x0000000005570000-0x0000000005B14000-memory.dmp

Filesize
5.6MB

Download
memory/548-132-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/548-133-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/548-134-0x0000000008F00000-0x0000000008F9C000-memory.dmp

Filesize
624KB

Download
memory/4388-137-0x0000000000000000-mapping.dmp

Download
memory/4388-138-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4388-139-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/4388-140-0x0000000006760000-0x00000000067B0000-memory.dmp

Filesize
320KB

Download
memory/4588-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads