agenttesla | 49315131d6f74bfc7f35ea28265eeba7a1672aa934dd4605cd07d3502954b387

General

Target

opioooo.exe
Size

533KB
MD5

781af3413205e9e6bcee1f19ce07da63
SHA1

ee139062d39986041356dc9fd17e917c28387e7b
SHA256

361df840f755828b47108104d9da4a9614d9c961f913c89c12027799150568df
SHA512

54b806a18825e1989df37630264071db542e0df26e94b82510b96357df1e92b0d31525e591298663a803e0dcf63af52370e1744cc70d264402243cae088d232c

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.aneeqllc.com
Port:
587
Username:
marketing@aneeqllc.com
Password:
gofast99Tu

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1512-143-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Drops file in Drivers directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

opioooo.exeRegSvcs.exe

description	pid	process	target process
PID 1904 set thread context of 504	1904	opioooo.exe	RegSvcs.exe
PID 504 set thread context of 1512	504	RegSvcs.exe	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1880 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

2152 REG.exe

pid	process
1880	schtasks.exe

pid	process
2152	REG.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

opioooo.exeRegSvcs.exeRegSvcs.exe

pid	process
1904	opioooo.exe
1904	opioooo.exe
1904	opioooo.exe
1904	opioooo.exe
1904	opioooo.exe
1904	opioooo.exe
1904	opioooo.exe
1904	opioooo.exe
504	RegSvcs.exe
1512	RegSvcs.exe
1512	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

opioooo.exeRegSvcs.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1904 opioooo.exe
Token: SeDebugPrivilege 504 RegSvcs.exe
Token: SeDebugPrivilege 1512 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1904	opioooo.exe
Token: SeDebugPrivilege	504	RegSvcs.exe
Token: SeDebugPrivilege	1512	RegSvcs.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

opioooo.exeRegSvcs.exeRegSvcs.exe

description	pid	process	target process
PID 1904 wrote to memory of 3476	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 3476	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 3476	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 1960	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 1960	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 1960	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 2060	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 2060	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 2060	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 1696	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 1696	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 1696	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 504	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 504	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 504	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 504	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 504	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 504	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 504	1904	opioooo.exe	RegSvcs.exe
PID 1904 wrote to memory of 504	1904	opioooo.exe	RegSvcs.exe
PID 504 wrote to memory of 1880	504	RegSvcs.exe	schtasks.exe
PID 504 wrote to memory of 1880	504	RegSvcs.exe	schtasks.exe
PID 504 wrote to memory of 1880	504	RegSvcs.exe	schtasks.exe
PID 504 wrote to memory of 1512	504	RegSvcs.exe	RegSvcs.exe
PID 504 wrote to memory of 1512	504	RegSvcs.exe	RegSvcs.exe
PID 504 wrote to memory of 1512	504	RegSvcs.exe	RegSvcs.exe
PID 504 wrote to memory of 1512	504	RegSvcs.exe	RegSvcs.exe
PID 504 wrote to memory of 1512	504	RegSvcs.exe	RegSvcs.exe
PID 504 wrote to memory of 1512	504	RegSvcs.exe	RegSvcs.exe
PID 504 wrote to memory of 1512	504	RegSvcs.exe	RegSvcs.exe
PID 504 wrote to memory of 1512	504	RegSvcs.exe	RegSvcs.exe
PID 1512 wrote to memory of 2152	1512	RegSvcs.exe	REG.exe
PID 1512 wrote to memory of 2152	1512	RegSvcs.exe	REG.exe
PID 1512 wrote to memory of 2152	1512	RegSvcs.exe	REG.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\opioooo.exe
"C:\Users\Admin\AppData\Local\Temp\opioooo.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:3476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIxvNRPuyhzFgP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCF2.tmp"
3⤵
- Creates scheduled task(s)
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1512

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f
4⤵
- Modifies registry key
PID:2152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
Filesize
507B

MD5
ab4c71d3ff6255edd4e5c1e09540f49e

SHA1
22e06bf4e258741b5df918061871cba998c50cea

SHA256
1690fec628f775dd3c3385b800eed126b37978ef2ffd592b024052724caafb5a

SHA512
8fa7d0045796e6cda7c28e2b9a690ef550619828c1b5d0ebf8e8367aff4bf4d9f63121e5b4f199d30cb8006eb584c6767f4c59150749b8256dab9dd0ebd9f1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDCF2.tmp
Filesize
1KB

MD5
abbb44630fa3662de05de9aba8a95d0a

SHA1
ad132c422f42d5b9e67b1e64d7e2ade662a6509f

SHA256
83058e92ff52cdf998ed3ed797111d5ee4b47d664393435c6fe95b64b2c42002

SHA512
2a1d54874fb7e85d68e524fae1fc565806c743b6d286bedc35741dae3be748b6534048a29c86c91f60b8df8713db1a2434bcaf2d5675619f5cf823c17af30f1c

Download Submit
memory/504-138-0x0000000000000000-mapping.dmp

Download
memory/504-139-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1512-142-0x0000000000000000-mapping.dmp

Download
memory/1512-143-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1512-148-0x0000000006BC0000-0x0000000006BCA000-memory.dmp

Filesize
40KB

Download
memory/1512-146-0x0000000006960000-0x00000000069B0000-memory.dmp

Filesize
320KB

Download
memory/1512-145-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/1696-137-0x0000000000000000-mapping.dmp

Download
memory/1880-140-0x0000000000000000-mapping.dmp

Download
memory/1904-131-0x0000000004D20000-0x0000000004DBC000-memory.dmp

Filesize
624KB

Download
memory/1904-130-0x0000000000330000-0x00000000003BC000-memory.dmp

Filesize
560KB

Download
memory/1904-132-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download
memory/1904-133-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/1960-135-0x0000000000000000-mapping.dmp

Download
memory/2060-136-0x0000000000000000-mapping.dmp

Download
memory/2152-147-0x0000000000000000-mapping.dmp

Download
memory/3476-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads