agenttesla | 22083794e761ae3e2fb684244ddadba8353b0dc25549d9591dbbd118dde52054

Analysis

max time kernel
69s
max time network
151s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
05-08-2022 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BANK DATAILS.exe
Size

825KB
MD5

9c8721d5f0dfcb5893766810fc016b1b
SHA1

097e2d6bd75f55fee4ba991696d15bbd0f73137f
SHA256

22083794e761ae3e2fb684244ddadba8353b0dc25549d9591dbbd118dde52054
SHA512

83e9bd28a1ff90448cd029742dcf3dfea760ed70112ab85e840c661c053d59531f521e3d09a49c545cc7dc26b7bfc76d106e0bb3692b88c64c4f03acbe6177fa

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
webmail.keeprojects.in
Port:
587
Username:
quality@keeprojects.in
Password:
quality#@!

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
webmail.keeprojects.in
Port:
587
Username:
quality@keeprojects.in
Password:
quality#@!
Email To:
uuc7470@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

BANK DATAILS.exe

description pid process target process

PID 1676 set thread context of 1452 1676 BANK DATAILS.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSBuild.exe

pid process

1452 MSBuild.exe
1452 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1452 MSBuild.exe

description	pid	process	target process
PID 1676 set thread context of 1452	1676	BANK DATAILS.exe	MSBuild.exe

pid	process
1452	MSBuild.exe
1452	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1452	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

BANK DATAILS.exe

description	pid	process	target process
PID 1676 wrote to memory of 1452	1676	BANK DATAILS.exe	MSBuild.exe
PID 1676 wrote to memory of 1452	1676	BANK DATAILS.exe	MSBuild.exe
PID 1676 wrote to memory of 1452	1676	BANK DATAILS.exe	MSBuild.exe
PID 1676 wrote to memory of 1452	1676	BANK DATAILS.exe	MSBuild.exe
PID 1676 wrote to memory of 1452	1676	BANK DATAILS.exe	MSBuild.exe
PID 1676 wrote to memory of 1452	1676	BANK DATAILS.exe	MSBuild.exe
PID 1676 wrote to memory of 1452	1676	BANK DATAILS.exe	MSBuild.exe
PID 1676 wrote to memory of 1452	1676	BANK DATAILS.exe	MSBuild.exe
PID 1676 wrote to memory of 1452	1676	BANK DATAILS.exe	MSBuild.exe

outlook_office_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\BANK DATAILS.exe
"C:\Users\Admin\AppData\Local\Temp\BANK DATAILS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1452-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1452-59-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1452-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1452-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1452-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1452-65-0x0000000000435BEE-mapping.dmp

Download
memory/1452-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1452-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1676-55-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1676-56-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/1676-57-0x00000000049F0000-0x0000000004A6E000-memory.dmp

Filesize
504KB

Download
memory/1676-58-0x00000000004E0000-0x000000000051A000-memory.dmp

Filesize
232KB

Download
memory/1676-54-0x0000000000D70000-0x0000000000E44000-memory.dmp

Filesize
848KB

Download