agenttesla | ffd551a66208b73cee933fc4e27c449b8eabb0acb0fe27ad251844e2fb8821d1

Analysis

max time kernel
148s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe
Size

5.2MB
MD5

f7389b83ba7eaedeae31eda31412db06
SHA1

ccfd2e456ccf2c8cc24942797805ad4d15a6d860
SHA256

ffd551a66208b73cee933fc4e27c449b8eabb0acb0fe27ad251844e2fb8821d1
SHA512

ac7f8ef5e4736e6fcb0f54c88761095dbcb09cec44d35b1efcfb7cbc03341049fc55410ad49925399ea8e56ea02d5c1ad1c20fb4c344d3027fbb7873f45aa4a9

Score

10^/10

agenttesla netwire botnet collection keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
157.230.124.151
Port:
587
Username:
[email protected]
Password:
chichi001

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/220-155-0x0000000000790000-0x00000000007BB000-memory.dmp	netwire
behavioral2/memory/220-158-0x0000000000790000-0x00000000007BB000-memory.dmp	netwire
behavioral2/memory/220-162-0x0000000000790000-0x00000000007BB000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2660-164-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Executes dropped EXE 5 IoCs

Processes:

orijan23.exellij.exeisud.exellij.exeisud.exe

pid process

4164 orijan23.exe
2128 llij.exe
5020 isud.exe
220 llij.exe
2660 isud.exe

pid	process
4164	orijan23.exe
2128	llij.exe
5020	isud.exe
220	llij.exe
2660	isud.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exeorijan23.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	orijan23.exe

Drops startup file 1 IoCs

Processes:

llij.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llij.lnk llij.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llij.lnk	llij.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

isud.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	isud.exe
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	isud.exe
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	isud.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

isud.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\isjk = "C:\\Users\\Admin\\AppData\\Roaming\\isud.exe"	isud.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

llij.exeisud.exe

description pid process target process

PID 2128 set thread context of 220 2128 llij.exe llij.exe
PID 5020 set thread context of 2660 5020 isud.exe isud.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4632 220 WerFault.exe llij.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

isud.exe

pid process

2660 isud.exe
2660 isud.exe

description	pid	process	target process
PID 2128 set thread context of 220	2128	llij.exe	llij.exe
PID 5020 set thread context of 2660	5020	isud.exe	isud.exe

pid	pid_target	process	target process
4632	220	WerFault.exe	llij.exe

pid	process
2660	isud.exe
2660	isud.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exeorijan23.exellij.exeisud.exeisud.exe

description	pid	process
Token: SeDebugPrivilege	3628	FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe
Token: SeDebugPrivilege	4164	orijan23.exe
Token: SeDebugPrivilege	2128	llij.exe
Token: SeDebugPrivilege	5020	isud.exe
Token: SeDebugPrivilege	2660	isud.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

isud.exe

pid process

2660 isud.exe

pid	process
2660	isud.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.execmd.execmd.exeorijan23.execmd.exellij.exeisud.exe

description	pid	process	target process
PID 3628 wrote to memory of 2604	3628	FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe	cmd.exe
PID 3628 wrote to memory of 2604	3628	FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe	cmd.exe
PID 3628 wrote to memory of 2604	3628	FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe	cmd.exe
PID 2604 wrote to memory of 4164	2604	cmd.exe	orijan23.exe
PID 2604 wrote to memory of 4164	2604	cmd.exe	orijan23.exe
PID 2604 wrote to memory of 4164	2604	cmd.exe	orijan23.exe
PID 3628 wrote to memory of 4408	3628	FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe	cmd.exe
PID 3628 wrote to memory of 4408	3628	FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe	cmd.exe
PID 3628 wrote to memory of 4408	3628	FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe	cmd.exe
PID 3628 wrote to memory of 1500	3628	FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe	cmd.exe
PID 3628 wrote to memory of 1500	3628	FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe	cmd.exe
PID 3628 wrote to memory of 1500	3628	FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe	cmd.exe
PID 1500 wrote to memory of 2128	1500	cmd.exe	llij.exe
PID 1500 wrote to memory of 2128	1500	cmd.exe	llij.exe
PID 1500 wrote to memory of 2128	1500	cmd.exe	llij.exe
PID 4164 wrote to memory of 848	4164	orijan23.exe	cmd.exe
PID 4164 wrote to memory of 848	4164	orijan23.exe	cmd.exe
PID 4164 wrote to memory of 848	4164	orijan23.exe	cmd.exe
PID 4164 wrote to memory of 4824	4164	orijan23.exe	cmd.exe
PID 4164 wrote to memory of 4824	4164	orijan23.exe	cmd.exe
PID 4164 wrote to memory of 4824	4164	orijan23.exe	cmd.exe
PID 4824 wrote to memory of 5020	4824	cmd.exe	isud.exe
PID 4824 wrote to memory of 5020	4824	cmd.exe	isud.exe
PID 4824 wrote to memory of 5020	4824	cmd.exe	isud.exe
PID 2128 wrote to memory of 220	2128	llij.exe	llij.exe
PID 2128 wrote to memory of 220	2128	llij.exe	llij.exe
PID 2128 wrote to memory of 220	2128	llij.exe	llij.exe
PID 2128 wrote to memory of 220	2128	llij.exe	llij.exe
PID 2128 wrote to memory of 220	2128	llij.exe	llij.exe
PID 2128 wrote to memory of 220	2128	llij.exe	llij.exe
PID 2128 wrote to memory of 220	2128	llij.exe	llij.exe
PID 2128 wrote to memory of 220	2128	llij.exe	llij.exe
PID 2128 wrote to memory of 220	2128	llij.exe	llij.exe
PID 2128 wrote to memory of 220	2128	llij.exe	llij.exe
PID 5020 wrote to memory of 2660	5020	isud.exe	isud.exe
PID 5020 wrote to memory of 2660	5020	isud.exe	isud.exe
PID 5020 wrote to memory of 2660	5020	isud.exe	isud.exe
PID 5020 wrote to memory of 2660	5020	isud.exe	isud.exe
PID 5020 wrote to memory of 2660	5020	isud.exe	isud.exe
PID 5020 wrote to memory of 2660	5020	isud.exe	isud.exe
PID 5020 wrote to memory of 2660	5020	isud.exe	isud.exe
PID 5020 wrote to memory of 2660	5020	isud.exe	isud.exe

outlook_office_path 1 IoCs

Processes:

isud.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	isud.exe

outlook_win_path 1 IoCs

Processes:

isud.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	isud.exe

C:\Users\Admin\AppData\Local\Temp\FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe
"C:\Users\Admin\AppData\Local\Temp\FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\orijan23.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Roaming\orijan23.exe
"C:\Users\Admin\AppData\Roaming\orijan23.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\orijan23.exe" "C:\Users\Admin\AppData\Roaming\isud.exe"
4⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\isud.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Roaming\isud.exe
"C:\Users\Admin\AppData\Roaming\isud.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020

C:\Users\Admin\AppData\Roaming\isud.exe
"C:\Users\Admin\AppData\Roaming\isud.exe"
6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\FFD551A66208B73CEE933FC4E27C449B8EABB0ACB0FE2.exe" "C:\Users\Admin\AppData\Roaming\llij.exe"
2⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\llij.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Roaming\llij.exe
"C:\Users\Admin\AppData\Roaming\llij.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Roaming\llij.exe
"C:\Users\Admin\AppData\Roaming\llij.exe"
4⤵
- Executes dropped EXE
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 316
5⤵
- Program crash
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 220 -ip 220
1⤵
PID:3404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\isud.exe.log

Filesize
903B

MD5
e561cf4d9ef3a0bcc94f3c4ddefbd8d7

SHA1
5476485c0050217f99370f52f37edfaf5858463c

SHA256
f87cef121c3fe8abf16d5f787a4848523ce016b15482eb82051293da3c8db086

SHA512
22f569c8748c017aa7b05a305009b3d353dd04bc8997e9d31722a733708cf5f2264d5f28a60beacc7248e4070b979f69a1fb9e61d08289cbbd21985563098743

Download Submit
C:\Users\Admin\AppData\Roaming\isud.exe

Filesize
1.3MB

MD5
2d5da0b865fc3e5800402a0c2fb63920

SHA1
14625c0835dcd3a904372a0e805e39303a4d9ecb

SHA256
ec0e9584d2523f23746d30005c2fd08a2ee70311d169792447c6c09f02614b81

SHA512
efff3d9adcea59bddc772af7d5372853de4e92e232e7380d813d3d0f8f70c60729e5853424b79e64e5aea288dfe4b1eaa49adc78d829352f0a4ea8a371451365

Download Submit
C:\Users\Admin\AppData\Roaming\isud.exe

Filesize
1.3MB

MD5
2d5da0b865fc3e5800402a0c2fb63920

SHA1
14625c0835dcd3a904372a0e805e39303a4d9ecb

SHA256
ec0e9584d2523f23746d30005c2fd08a2ee70311d169792447c6c09f02614b81

SHA512
efff3d9adcea59bddc772af7d5372853de4e92e232e7380d813d3d0f8f70c60729e5853424b79e64e5aea288dfe4b1eaa49adc78d829352f0a4ea8a371451365

Download Submit
C:\Users\Admin\AppData\Roaming\isud.exe

Filesize
1.3MB

MD5
2d5da0b865fc3e5800402a0c2fb63920

SHA1
14625c0835dcd3a904372a0e805e39303a4d9ecb

SHA256
ec0e9584d2523f23746d30005c2fd08a2ee70311d169792447c6c09f02614b81

SHA512
efff3d9adcea59bddc772af7d5372853de4e92e232e7380d813d3d0f8f70c60729e5853424b79e64e5aea288dfe4b1eaa49adc78d829352f0a4ea8a371451365

Download Submit
C:\Users\Admin\AppData\Roaming\llij.exe

Filesize
5.2MB

MD5
f7389b83ba7eaedeae31eda31412db06

SHA1
ccfd2e456ccf2c8cc24942797805ad4d15a6d860

SHA256
ffd551a66208b73cee933fc4e27c449b8eabb0acb0fe27ad251844e2fb8821d1

SHA512
ac7f8ef5e4736e6fcb0f54c88761095dbcb09cec44d35b1efcfb7cbc03341049fc55410ad49925399ea8e56ea02d5c1ad1c20fb4c344d3027fbb7873f45aa4a9

Download Submit
C:\Users\Admin\AppData\Roaming\llij.exe

Filesize
5.2MB

MD5
f7389b83ba7eaedeae31eda31412db06

SHA1
ccfd2e456ccf2c8cc24942797805ad4d15a6d860

SHA256
ffd551a66208b73cee933fc4e27c449b8eabb0acb0fe27ad251844e2fb8821d1

SHA512
ac7f8ef5e4736e6fcb0f54c88761095dbcb09cec44d35b1efcfb7cbc03341049fc55410ad49925399ea8e56ea02d5c1ad1c20fb4c344d3027fbb7873f45aa4a9

Download Submit
C:\Users\Admin\AppData\Roaming\llij.exe

Filesize
5.2MB

MD5
f7389b83ba7eaedeae31eda31412db06

SHA1
ccfd2e456ccf2c8cc24942797805ad4d15a6d860

SHA256
ffd551a66208b73cee933fc4e27c449b8eabb0acb0fe27ad251844e2fb8821d1

SHA512
ac7f8ef5e4736e6fcb0f54c88761095dbcb09cec44d35b1efcfb7cbc03341049fc55410ad49925399ea8e56ea02d5c1ad1c20fb4c344d3027fbb7873f45aa4a9

Download Submit
C:\Users\Admin\AppData\Roaming\orijan23.exe

Filesize
1.3MB

MD5
2d5da0b865fc3e5800402a0c2fb63920

SHA1
14625c0835dcd3a904372a0e805e39303a4d9ecb

SHA256
ec0e9584d2523f23746d30005c2fd08a2ee70311d169792447c6c09f02614b81

SHA512
efff3d9adcea59bddc772af7d5372853de4e92e232e7380d813d3d0f8f70c60729e5853424b79e64e5aea288dfe4b1eaa49adc78d829352f0a4ea8a371451365

Download Submit
C:\Users\Admin\AppData\Roaming\orijan23.exe

Filesize
1.3MB

MD5
2d5da0b865fc3e5800402a0c2fb63920

SHA1
14625c0835dcd3a904372a0e805e39303a4d9ecb

SHA256
ec0e9584d2523f23746d30005c2fd08a2ee70311d169792447c6c09f02614b81

SHA512
efff3d9adcea59bddc772af7d5372853de4e92e232e7380d813d3d0f8f70c60729e5853424b79e64e5aea288dfe4b1eaa49adc78d829352f0a4ea8a371451365

Download Submit
C:\Users\Admin\Documents\orijan23.txt

Filesize
32B

MD5
b41566341029c6b54305e634392aeb15

SHA1
76f3e3c6c7814fff265710b93af1e2109d6ec6f9

SHA256
9c797e062cd7946612fdf00b4368ba1b2ba1ca1996cb7b1e0e7c6918f85e4a17

SHA512
6fd4541d89eec59e382e03a2d5b3228a020ba6d3245756010070ebf3b1f6c7a28586dc1bee11b0cfc8610c807b2a69e748f67f2458c6d5f6c0a584634c629a53

Download Submit
memory/220-162-0x0000000000790000-0x00000000007BB000-memory.dmp

Filesize
172KB

Download
memory/220-158-0x0000000000790000-0x00000000007BB000-memory.dmp

Filesize
172KB

Download
memory/220-155-0x0000000000790000-0x00000000007BB000-memory.dmp

Filesize
172KB

Download
memory/220-153-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/220-152-0x0000000000000000-mapping.dmp

Download
memory/848-145-0x0000000000000000-mapping.dmp

Download
memory/1500-141-0x0000000000000000-mapping.dmp

Download
memory/2128-142-0x0000000000000000-mapping.dmp

Download
memory/2128-151-0x000000000B5D0000-0x000000000B66C000-memory.dmp

Filesize
624KB

Download
memory/2604-135-0x0000000000000000-mapping.dmp

Download
memory/2660-167-0x00000000069B0000-0x00000000069BA000-memory.dmp

Filesize
40KB

Download
memory/2660-164-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2660-163-0x0000000000000000-mapping.dmp

Download
memory/3628-133-0x00000000064F0000-0x0000000006534000-memory.dmp

Filesize
272KB

Download
memory/3628-130-0x0000000000E60000-0x0000000001394000-memory.dmp

Filesize
5.2MB

Download
memory/3628-134-0x0000000006760000-0x00000000067C6000-memory.dmp

Filesize
408KB

Download
memory/3628-132-0x0000000006AA0000-0x0000000007044000-memory.dmp

Filesize
5.6MB

Download
memory/3628-131-0x0000000006450000-0x00000000064E2000-memory.dmp

Filesize
584KB

Download
memory/4164-136-0x0000000000000000-mapping.dmp

Download
memory/4164-139-0x0000000000DB0000-0x0000000000EF8000-memory.dmp

Filesize
1.3MB

Download
memory/4408-140-0x0000000000000000-mapping.dmp

Download
memory/4824-146-0x0000000000000000-mapping.dmp

Download
memory/5020-147-0x0000000000000000-mapping.dmp

Download