agenttesla | dae23e7dc11670ebc2b9edfc6b457e5c7d91fa90c7826bcd02470cbd9b1757fb

General

Target

Request for Quotation.exe
Size

522KB
MD5

90868ea38ee67574c75f0b44bc23f240
SHA1

6d59b6b66e6a57cbfd4bb8211c8a988d1ab68c7f
SHA256

8c2e223633dad17b0830a0efc0a1a3edfd835e176c5a502d36bb0021dfdbf2dc
SHA512

718380e06d37cfbde6e1dde2ef0c7f5e1846c34baba1234be2cf11717d7b0e55b8ea3405a49eff43fd5728ada9468d54f10f5eb9dcc8458b2038ae4931c694d9

Score

10^/10

agenttesla collection coreentity keylogger rezer0 spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
admin@slboercleaning.com
Password:
WS!jmys8

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/748-56-0x0000000000360000-0x0000000000368000-memory.dmp	coreentity

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1700-63-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral1/memory/1700-64-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral1/memory/1700-68-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral1/memory/1700-65-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral1/memory/1700-70-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral1/memory/1700-66-0x000000000044B6AE-mapping.dmp	family_agenttesla

CoreCCC Packer 1 IoCs

Detects CoreCCC packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/748-54-0x00000000013C0000-0x0000000001448000-memory.dmp	coreccc

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/748-57-0x0000000000B00000-0x0000000000B58000-memory.dmp	rezer0

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Request for Quotation.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Request for Quotation.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Request for Quotation.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Request for Quotation.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Request for Quotation.exe

description pid process target process

PID 748 set thread context of 1700 748 Request for Quotation.exe Request for Quotation.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

960 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Request for Quotation.exeRequest for Quotation.exe

pid process

748 Request for Quotation.exe
1700 Request for Quotation.exe
1700 Request for Quotation.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Request for Quotation.exeRequest for Quotation.exe

description pid process

Token: SeDebugPrivilege 748 Request for Quotation.exe
Token: SeDebugPrivilege 1700 Request for Quotation.exe

description	pid	process	target process
PID 748 set thread context of 1700	748	Request for Quotation.exe	Request for Quotation.exe

pid	process
960	schtasks.exe

pid	process
748	Request for Quotation.exe
1700	Request for Quotation.exe
1700	Request for Quotation.exe

description	pid	process
Token: SeDebugPrivilege	748	Request for Quotation.exe
Token: SeDebugPrivilege	1700	Request for Quotation.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Request for Quotation.exe

description	pid	process	target process
PID 748 wrote to memory of 960	748	Request for Quotation.exe	schtasks.exe
PID 748 wrote to memory of 960	748	Request for Quotation.exe	schtasks.exe
PID 748 wrote to memory of 960	748	Request for Quotation.exe	schtasks.exe
PID 748 wrote to memory of 960	748	Request for Quotation.exe	schtasks.exe
PID 748 wrote to memory of 1700	748	Request for Quotation.exe	Request for Quotation.exe
PID 748 wrote to memory of 1700	748	Request for Quotation.exe	Request for Quotation.exe
PID 748 wrote to memory of 1700	748	Request for Quotation.exe	Request for Quotation.exe
PID 748 wrote to memory of 1700	748	Request for Quotation.exe	Request for Quotation.exe
PID 748 wrote to memory of 1700	748	Request for Quotation.exe	Request for Quotation.exe
PID 748 wrote to memory of 1700	748	Request for Quotation.exe	Request for Quotation.exe
PID 748 wrote to memory of 1700	748	Request for Quotation.exe	Request for Quotation.exe
PID 748 wrote to memory of 1700	748	Request for Quotation.exe	Request for Quotation.exe
PID 748 wrote to memory of 1700	748	Request for Quotation.exe	Request for Quotation.exe

outlook_office_path 1 IoCs

Processes:

Request for Quotation.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Request for Quotation.exe

outlook_win_path 1 IoCs

Processes:

Request for Quotation.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Request for Quotation.exe

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UvAFCP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB4C.tmp"
2⤵
- Creates scheduled task(s)
PID:960

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1700

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCB4C.tmp
Filesize
1KB

MD5
20680d6067b560cd7bcb9dd0d6ac7a21

SHA1
2e2b2f059c86bda9bfae103eb193cab5ec1e4802

SHA256
25114e0dc37a0b86847a931a9ac67aec770ebd6ae568f0a0a6584d53c76321ca

SHA512
8013e2e0f1e23b91c6a325730cfd8930c0273e2e3535ca14252262e6f2dd7c4657088c83d3e7b816834033e2f905a1e432b2026e9d69e751484430e5ba365736

Download Submit
memory/748-54-0x00000000013C0000-0x0000000001448000-memory.dmp

Filesize
544KB

Download
memory/748-55-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/748-56-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/748-57-0x0000000000B00000-0x0000000000B58000-memory.dmp

Filesize
352KB

Download
memory/960-58-0x0000000000000000-mapping.dmp

Download
memory/1700-60-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1700-61-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1700-63-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1700-64-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1700-68-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1700-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1700-70-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1700-66-0x000000000044B6AE-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads