agenttesla | f510d8c903f78262f15edd2b3c4f1778fb590fedb8d54224da31c6717c9c8f3a

General

Target

PO.exe
Size

869KB
MD5

a925cd618ba6ead6b73ded89b70e69b7
SHA1

9a1b4b8e5a3d2d9539205f9c2a3ea96d5f74d5c0
SHA256

547e52557b519e2b169e8a9c5932e2d7ce615ea34d54348d5d87033a545b6362
SHA512

9a96bb6e45fcafe54376b3c923c5db4f71651832bc42897218511b87bbb15bacfafb9059a378d37022fe19b5dff6b78e8013b14262ab907f6d4bc0b051a365fb

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cka.com.sg
Port:
587
Username:
[email protected]
Password:
agnescka82

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/4300-135-0x0000000000400000-0x000000000044A000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

PO.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation PO.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	PO.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

PO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PO.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Officex = "C:\\Users\\Admin\\AppData\\Roaming\\Officex\\Officex.exe"	PO.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO.exe

description pid process target process

PID 2480 set thread context of 4300 2480 PO.exe PO.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

544 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

PO.exePO.exe

pid process

2480 PO.exe
2480 PO.exe
2480 PO.exe
4300 PO.exe
4300 PO.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO.exePO.exe

description pid process

Token: SeDebugPrivilege 2480 PO.exe
Token: SeDebugPrivilege 4300 PO.exe

description	pid	process	target process
PID 2480 set thread context of 4300	2480	PO.exe	PO.exe

pid	process
544	schtasks.exe

pid	process
2480	PO.exe
2480	PO.exe
2480	PO.exe
4300	PO.exe
4300	PO.exe

description	pid	process
Token: SeDebugPrivilege	2480	PO.exe
Token: SeDebugPrivilege	4300	PO.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

PO.exe

description	pid	process	target process
PID 2480 wrote to memory of 544	2480	PO.exe	schtasks.exe
PID 2480 wrote to memory of 544	2480	PO.exe	schtasks.exe
PID 2480 wrote to memory of 544	2480	PO.exe	schtasks.exe
PID 2480 wrote to memory of 1368	2480	PO.exe	PO.exe
PID 2480 wrote to memory of 1368	2480	PO.exe	PO.exe
PID 2480 wrote to memory of 1368	2480	PO.exe	PO.exe
PID 2480 wrote to memory of 4300	2480	PO.exe	PO.exe
PID 2480 wrote to memory of 4300	2480	PO.exe	PO.exe
PID 2480 wrote to memory of 4300	2480	PO.exe	PO.exe
PID 2480 wrote to memory of 4300	2480	PO.exe	PO.exe
PID 2480 wrote to memory of 4300	2480	PO.exe	PO.exe
PID 2480 wrote to memory of 4300	2480	PO.exe	PO.exe
PID 2480 wrote to memory of 4300	2480	PO.exe	PO.exe
PID 2480 wrote to memory of 4300	2480	PO.exe	PO.exe

outlook_office_path 1 IoCs

Processes:

PO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe

outlook_win_path 1 IoCs

Processes:

PO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SWEYXGLydrrF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB7B.tmp"
2⤵
- Creates scheduled task(s)
PID:544

C:\Users\Admin\AppData\Local\Temp\PO.exe
"{path}"
2⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\PO.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PO.exe.log
Filesize
496B

MD5
cb76b18ebed3a9f05a14aed43d35fba6

SHA1
836a4b4e351846fca08b84149cb734cb59b8c0d6

SHA256
8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349

SHA512
7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB7B.tmp
Filesize
1KB

MD5
f4072566f36072a45f45a17b25b14850

SHA1
d33d769ea374aaefd7d06c52b280c72c6bde179a

SHA256
18f0925c1f82c9aaae227dbce2f7aab28df54746ca1eeb980571a63191b7a62e

SHA512
d9a9674188ccd1fe99a321cdf53ac4ae073a0dbca7775f2abee73cfcbc642a2e4ea936ea2c11f15c70d6ab02cb6c2f99da139d09efd05c34e9a7d65019a44432

Download Submit
memory/544-131-0x0000000000000000-mapping.dmp

Download
memory/1368-133-0x0000000000000000-mapping.dmp

Download
memory/2480-130-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download
memory/4300-134-0x0000000000000000-mapping.dmp

Download
memory/4300-135-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4300-137-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads