agenttesla | 49315131d6f74bfc7f35ea28265eeba7a1672aa934dd4605cd07d3502954b387

General

Target

opioooo.exe
Size

533KB
MD5

781af3413205e9e6bcee1f19ce07da63
SHA1

ee139062d39986041356dc9fd17e917c28387e7b
SHA256

361df840f755828b47108104d9da4a9614d9c961f913c89c12027799150568df
SHA512

54b806a18825e1989df37630264071db542e0df26e94b82510b96357df1e92b0d31525e591298663a803e0dcf63af52370e1744cc70d264402243cae088d232c

Score

10^/10

agenttesla collection keylogger persistence rezer0 spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.aneeqllc.com
Port:
587
Username:
marketing@aneeqllc.com
Password:
gofast99Tu

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/532-75-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/532-76-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/532-77-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/532-78-0x00000000004474BE-mapping.dmp	family_agenttesla
behavioral1/memory/532-80-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/532-82-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

ReZer0 packer 2 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1156-56-0x0000000004850000-0x00000000048C4000-memory.dmp	rezer0
behavioral1/memory/1420-69-0x00000000006F0000-0x0000000000744000-memory.dmp	rezer0

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

opioooo.exeRegSvcs.exe

description	pid	process	target process
PID 1156 set thread context of 1420	1156	opioooo.exe	RegSvcs.exe
PID 1420 set thread context of 532	1420	RegSvcs.exe	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1768 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

pid process

1420 RegSvcs.exe
532 RegSvcs.exe
532 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1420 RegSvcs.exe
Token: SeDebugPrivilege 532 RegSvcs.exe

pid	process
1768	schtasks.exe

pid	process
1420	RegSvcs.exe
532	RegSvcs.exe
532	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1420	RegSvcs.exe
Token: SeDebugPrivilege	532	RegSvcs.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

opioooo.exeRegSvcs.exe

description	pid	process	target process
PID 1156 wrote to memory of 1420	1156	opioooo.exe	RegSvcs.exe
PID 1156 wrote to memory of 1420	1156	opioooo.exe	RegSvcs.exe
PID 1156 wrote to memory of 1420	1156	opioooo.exe	RegSvcs.exe
PID 1156 wrote to memory of 1420	1156	opioooo.exe	RegSvcs.exe
PID 1156 wrote to memory of 1420	1156	opioooo.exe	RegSvcs.exe
PID 1156 wrote to memory of 1420	1156	opioooo.exe	RegSvcs.exe
PID 1156 wrote to memory of 1420	1156	opioooo.exe	RegSvcs.exe
PID 1156 wrote to memory of 1420	1156	opioooo.exe	RegSvcs.exe
PID 1156 wrote to memory of 1420	1156	opioooo.exe	RegSvcs.exe
PID 1156 wrote to memory of 1420	1156	opioooo.exe	RegSvcs.exe
PID 1156 wrote to memory of 1420	1156	opioooo.exe	RegSvcs.exe
PID 1156 wrote to memory of 1420	1156	opioooo.exe	RegSvcs.exe
PID 1420 wrote to memory of 1768	1420	RegSvcs.exe	schtasks.exe
PID 1420 wrote to memory of 1768	1420	RegSvcs.exe	schtasks.exe
PID 1420 wrote to memory of 1768	1420	RegSvcs.exe	schtasks.exe
PID 1420 wrote to memory of 1768	1420	RegSvcs.exe	schtasks.exe
PID 1420 wrote to memory of 916	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 916	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 916	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 916	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 916	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 916	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 916	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 532	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 532	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 532	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 532	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 532	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 532	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 532	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 532	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 532	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 532	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 532	1420	RegSvcs.exe	RegSvcs.exe
PID 1420 wrote to memory of 532	1420	RegSvcs.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\opioooo.exe
"C:\Users\Admin\AppData\Local\Temp\opioooo.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIxvNRPuyhzFgP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D7C.tmp"
3⤵
- Creates scheduled task(s)
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:532

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5D7C.tmp
Filesize
1KB

MD5
68f304b4f03e1bef36740d4b50ce5108

SHA1
8f6234d557fbd7549b1f83463057099b3ab55bf8

SHA256
f461f9f99db3694f45b0e79c05f04c4514f1154a872ce24c2befc55d8d0a8717

SHA512
a78429c8c7aaafb8f21d34b14703330e48a91e3f01e1ab8990d9a1d80537d4f11f905a8ef9aac4835da337a25b2db9c26221b496942896db5bdab8b485ab6439

Download Submit
memory/532-76-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/532-83-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download
memory/532-82-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/532-80-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/532-78-0x00000000004474BE-mapping.dmp

Download
memory/532-77-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/532-75-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/532-73-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/532-72-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1156-56-0x0000000004850000-0x00000000048C4000-memory.dmp

Filesize
464KB

Download
memory/1156-54-0x0000000000E30000-0x0000000000EBC000-memory.dmp

Filesize
560KB

Download
memory/1156-55-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/1420-61-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1420-69-0x00000000006F0000-0x0000000000744000-memory.dmp

Filesize
336KB

Download
memory/1420-68-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/1420-67-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1420-65-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1420-63-0x0000000000467DEA-mapping.dmp

Download
memory/1420-62-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1420-60-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1420-58-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1420-57-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1768-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads