agenttesla | 83532bb6a24d4eb669d3655d94345e3b44df39025e8c4ad024d5365575a70fe2

General

Target

MAERSK KLEVEN V.949.exe
Size

3.9MB
MD5

21eda5c3a9b012e0ae18f446da1b9eeb
SHA1

0b01392f53c0fe65952495ba14af70420d2c5853
SHA256

f1f8cbfc6921ce73c2c3668b2fded2a1bdb3cf8d5434f23090840115188fd7b9
SHA512

74ae6555b9329bc549bd686f9d861b2d09bf0030b07a1289801bef239751c770fcb3ef729e6bcf724f32a6869893bb119480d3680e78b6be5bccc770bf517c18

Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

MAERSK KLEVEN V.949.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MAERSK KLEVEN V.949.exe\""	MAERSK KLEVEN V.949.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

AgentTesla Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1108-60-0x0000000000AB0000-0x0000000000AFA000-memory.dmp	family_agenttesla
behavioral1/memory/1736-64-0x0000000000400000-0x000000000044A000-memory.dmp	family_agenttesla
behavioral1/memory/1736-65-0x0000000000400000-0x000000000044A000-memory.dmp	family_agenttesla
behavioral1/memory/1736-66-0x0000000000400000-0x000000000044A000-memory.dmp	family_agenttesla
behavioral1/memory/1736-67-0x0000000000445C2E-mapping.dmp	family_agenttesla
behavioral1/memory/1736-69-0x0000000000400000-0x000000000044A000-memory.dmp	family_agenttesla
behavioral1/memory/1736-71-0x0000000000400000-0x000000000044A000-memory.dmp	family_agenttesla

Drops startup file 2 IoCs

Processes:

MAERSK KLEVEN V.949.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAERSK KLEVEN V.949.exe	MAERSK KLEVEN V.949.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAERSK KLEVEN V.949.exe	MAERSK KLEVEN V.949.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

MAERSK KLEVEN V.949.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	MAERSK KLEVEN V.949.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	MAERSK KLEVEN V.949.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

installutil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	installutil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	installutil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	installutil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MAERSK KLEVEN V.949.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MAERSK KLEVEN V.949.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MAERSK KLEVEN V.949.exe"	MAERSK KLEVEN V.949.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

MAERSK KLEVEN V.949.exe

description pid process target process

PID 1108 set thread context of 1736 1108 MAERSK KLEVEN V.949.exe installutil.exe

description	pid	process	target process
PID 1108 set thread context of 1736	1108	MAERSK KLEVEN V.949.exe	installutil.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeMAERSK KLEVEN V.949.exeinstallutil.exe

pid	process
960	powershell.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1736	installutil.exe
1736	installutil.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe
1108	MAERSK KLEVEN V.949.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeMAERSK KLEVEN V.949.exeinstallutil.exe

description	pid	process
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1108	MAERSK KLEVEN V.949.exe
Token: SeDebugPrivilege	1736	installutil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

installutil.exe

pid process

1736 installutil.exe

pid	process
1736	installutil.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

MAERSK KLEVEN V.949.exe

description	pid	process	target process
PID 1108 wrote to memory of 960	1108	MAERSK KLEVEN V.949.exe	powershell.exe
PID 1108 wrote to memory of 960	1108	MAERSK KLEVEN V.949.exe	powershell.exe
PID 1108 wrote to memory of 960	1108	MAERSK KLEVEN V.949.exe	powershell.exe
PID 1108 wrote to memory of 960	1108	MAERSK KLEVEN V.949.exe	powershell.exe
PID 1108 wrote to memory of 1736	1108	MAERSK KLEVEN V.949.exe	installutil.exe
PID 1108 wrote to memory of 1736	1108	MAERSK KLEVEN V.949.exe	installutil.exe
PID 1108 wrote to memory of 1736	1108	MAERSK KLEVEN V.949.exe	installutil.exe
PID 1108 wrote to memory of 1736	1108	MAERSK KLEVEN V.949.exe	installutil.exe
PID 1108 wrote to memory of 1736	1108	MAERSK KLEVEN V.949.exe	installutil.exe
PID 1108 wrote to memory of 1736	1108	MAERSK KLEVEN V.949.exe	installutil.exe
PID 1108 wrote to memory of 1736	1108	MAERSK KLEVEN V.949.exe	installutil.exe
PID 1108 wrote to memory of 1736	1108	MAERSK KLEVEN V.949.exe	installutil.exe
PID 1108 wrote to memory of 1736	1108	MAERSK KLEVEN V.949.exe	installutil.exe
PID 1108 wrote to memory of 1736	1108	MAERSK KLEVEN V.949.exe	installutil.exe
PID 1108 wrote to memory of 1736	1108	MAERSK KLEVEN V.949.exe	installutil.exe
PID 1108 wrote to memory of 1736	1108	MAERSK KLEVEN V.949.exe	installutil.exe

outlook_office_path 1 IoCs

Processes:

installutil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	installutil.exe

outlook_win_path 1 IoCs

Processes:

installutil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	installutil.exe

C:\Users\Admin\AppData\Local\Temp\MAERSK KLEVEN V.949.exe
"C:\Users\Admin\AppData\Local\Temp\MAERSK KLEVEN V.949.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1736

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-57-0x0000000000000000-mapping.dmp

Download
memory/960-59-0x000000006FF10000-0x00000000704BB000-memory.dmp

Filesize
5.7MB

Download
memory/1108-54-0x0000000000F30000-0x0000000001324000-memory.dmp

Filesize
4.0MB

Download
memory/1108-55-0x00000000009C0000-0x0000000000A2C000-memory.dmp

Filesize
432KB

Download
memory/1108-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1108-60-0x0000000000AB0000-0x0000000000AFA000-memory.dmp

Filesize
296KB

Download
memory/1736-61-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1736-62-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1736-64-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1736-65-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1736-66-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1736-67-0x0000000000445C2E-mapping.dmp

Download
memory/1736-69-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1736-71-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads