agenttesla | 085d23a18c1dc923aaaa53ead881862faadaf2cd49114fe2ea5d85a3d7d5a9f3

General

Target

file01.ps1
Size

833KB
MD5

3cc5a223552109e539cbe5ef1fa5e5fe
SHA1

73ae5666483ca262a772ff39a4ca867290934054
SHA256

085d23a18c1dc923aaaa53ead881862faadaf2cd49114fe2ea5d85a3d7d5a9f3
SHA512

3e6be56204400bd1535c655208ad881f01f038ab345aceac8a692f4d59f0d951ed923bd76d598c07f0d5ae7d6a24e984eafaafe68b9b20755cdc160b5e93ff1e
SSDEEP

12288:vX4HnACkasep8iiShRNiXPCkwT0AV4igtsfsZTMursfV5yqhrzcJMrqLtPw5Cc/D:vXe7

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POWERSHELL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 444 POWERSHELL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	444	POWERSHELL.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4164 set thread context of 2176 4164 powershell.exe aspnet_compiler.exe

description	pid	process	target process
PID 4164 set thread context of 2176	4164	powershell.exe	aspnet_compiler.exe

Modifies registry class 4 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

936 reg.exe
2580 reg.exe

pid	process
936	reg.exe
2580	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exePOWERSHELL.exepowershell.exeaspnet_compiler.exe

pid	process
1116	powershell.exe
1116	powershell.exe
4724	powershell.exe
4724	powershell.exe
4952	POWERSHELL.exe
4952	POWERSHELL.exe
4164	powershell.exe
4164	powershell.exe
2176	aspnet_compiler.exe
2176	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exePOWERSHELL.exe

description	pid	process
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	4952	POWERSHELL.exe
Token: SeIncreaseQuotaPrivilege	4724	powershell.exe
Token: SeSecurityPrivilege	4724	powershell.exe
Token: SeTakeOwnershipPrivilege	4724	powershell.exe
Token: SeLoadDriverPrivilege	4724	powershell.exe
Token: SeSystemProfilePrivilege	4724	powershell.exe
Token: SeSystemtimePrivilege	4724	powershell.exe
Token: SeProfSingleProcessPrivilege	4724	powershell.exe
Token: SeIncBasePriorityPrivilege	4724	powershell.exe
Token: SeCreatePagefilePrivilege	4724	powershell.exe
Token: SeBackupPrivilege	4724	powershell.exe
Token: SeRestorePrivilege	4724	powershell.exe
Token: SeShutdownPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeSystemEnvironmentPrivilege	4724	powershell.exe
Token: SeRemoteShutdownPrivilege	4724	powershell.exe
Token: SeUndockPrivilege	4724	powershell.exe
Token: SeManageVolumePrivilege	4724	powershell.exe
Token: 33	4724	powershell.exe
Token: 34	4724	powershell.exe
Token: 35	4724	powershell.exe
Token: 36	4724	powershell.exe
Token: SeIncreaseQuotaPrivilege	4724	powershell.exe
Token: SeSecurityPrivilege	4724	powershell.exe
Token: SeTakeOwnershipPrivilege	4724	powershell.exe
Token: SeLoadDriverPrivilege	4724	powershell.exe
Token: SeSystemProfilePrivilege	4724	powershell.exe
Token: SeSystemtimePrivilege	4724	powershell.exe
Token: SeProfSingleProcessPrivilege	4724	powershell.exe
Token: SeIncBasePriorityPrivilege	4724	powershell.exe
Token: SeCreatePagefilePrivilege	4724	powershell.exe
Token: SeBackupPrivilege	4724	powershell.exe
Token: SeRestorePrivilege	4724	powershell.exe
Token: SeShutdownPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeSystemEnvironmentPrivilege	4724	powershell.exe
Token: SeRemoteShutdownPrivilege	4724	powershell.exe
Token: SeUndockPrivilege	4724	powershell.exe
Token: SeManageVolumePrivilege	4724	powershell.exe
Token: 33	4724	powershell.exe
Token: 34	4724	powershell.exe
Token: 35	4724	powershell.exe
Token: 36	4724	powershell.exe
Token: SeIncreaseQuotaPrivilege	4724	powershell.exe
Token: SeSecurityPrivilege	4724	powershell.exe
Token: SeTakeOwnershipPrivilege	4724	powershell.exe
Token: SeLoadDriverPrivilege	4724	powershell.exe
Token: SeSystemProfilePrivilege	4724	powershell.exe
Token: SeSystemtimePrivilege	4724	powershell.exe
Token: SeProfSingleProcessPrivilege	4724	powershell.exe
Token: SeIncBasePriorityPrivilege	4724	powershell.exe
Token: SeCreatePagefilePrivilege	4724	powershell.exe
Token: SeBackupPrivilege	4724	powershell.exe
Token: SeRestorePrivilege	4724	powershell.exe
Token: SeShutdownPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeSystemEnvironmentPrivilege	4724	powershell.exe
Token: SeRemoteShutdownPrivilege	4724	powershell.exe
Token: SeUndockPrivilege	4724	powershell.exe
Token: SeManageVolumePrivilege	4724	powershell.exe
Token: 33	4724	powershell.exe
Token: 34	4724	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

powershell.exepowershell.exePOWERSHELL.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 1116 wrote to memory of 4724	1116	powershell.exe	powershell.exe
PID 1116 wrote to memory of 4724	1116	powershell.exe	powershell.exe
PID 4724 wrote to memory of 4384	4724	powershell.exe	WScript.exe
PID 4724 wrote to memory of 4384	4724	powershell.exe	WScript.exe
PID 4952 wrote to memory of 2016	4952	POWERSHELL.exe	cmd.exe
PID 4952 wrote to memory of 2016	4952	POWERSHELL.exe	cmd.exe
PID 2016 wrote to memory of 936	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 936	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 2580	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 2580	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1348	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 1348	2016	cmd.exe	cmd.exe
PID 1348 wrote to memory of 4164	1348	cmd.exe	powershell.exe
PID 1348 wrote to memory of 4164	1348	cmd.exe	powershell.exe
PID 4164 wrote to memory of 2176	4164	powershell.exe	aspnet_compiler.exe
PID 4164 wrote to memory of 2176	4164	powershell.exe	aspnet_compiler.exe
PID 4164 wrote to memory of 2176	4164	powershell.exe	aspnet_compiler.exe
PID 4164 wrote to memory of 2176	4164	powershell.exe	aspnet_compiler.exe
PID 4164 wrote to memory of 2176	4164	powershell.exe	aspnet_compiler.exe
PID 4164 wrote to memory of 2176	4164	powershell.exe	aspnet_compiler.exe
PID 4164 wrote to memory of 2176	4164	powershell.exe	aspnet_compiler.exe
PID 4164 wrote to memory of 2176	4164	powershell.exe	aspnet_compiler.exe

outlook_office_path 1 IoCs

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

outlook_win_path 1 IoCs

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"
3⤵
PID:4384

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
3⤵
- Modifies registry class
- Modifies registry key
PID:936

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
PID:2580

C:\Windows\system32\cmd.exe
cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
3⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1
Filesize
824KB

MD5
72fae1336dddec90ae79e72cdecff348

SHA1
944938aa9e7b9e0a7be0652ef5f655044ccc7743

SHA256
a3e20bea0a9e6b98852b03d67c55191a3b290a1ee9ccacfa6aab057fa7c53de3

SHA512
b8636517f54acc11b019d6263abe495ab46ffcbcaffb79c0ea29faa6bbe8ca9077f50a0ee36f6cad4cc19696a0328b9db7ba5b05d08163b53b100d6dff6df9be

Download Submit
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
Filesize
706B

MD5
5f47e284245ee4f81f03eb432c946a88

SHA1
0a95478eafa3e994bf3e6e166b4a43ba9d63fe2e

SHA256
a749e67a7b277f33e03aa41b2dc19d09e7bebdb45ebe2c686ed410ed80980090

SHA512
f41c1717f966513dfdea116d171fcbb964b3ddff37df8466e73c887fbbd8521832a111e63ef2b00a95b6dba8e293ca6b196f16018a88f4534e751832092ead2b

Download Submit
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1
Filesize
3KB

MD5
67a502ba0f7e94457ee7a901066e176c

SHA1
09b7a7edafcb084398270e46689853dc1bb56fd9

SHA256
127cb052f9cc719b08bc165b04f4a54c6c616981370f21025b39139c9b8abd87

SHA512
5810cc4c466d1e16dedb5ef02fd416e343e3772442b0e06b8e2b8fbdd696f06374b14a2776f4e39b9071884457d49892d71db141377b8b53257fa4ccf29d2c4c

Download Submit
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs
Filesize
2KB

MD5
50868a55a1f3c71fec65535055a9ce84

SHA1
485524c1b3cd4bda27cede63bb11d120b2b0d134

SHA256
966b292093b03191aa3855a053f2f6150f2e9a84d507438e08260992a921f579

SHA512
5f3491b4135339a5e63b85e2a47a69c31be44fc9a2eb281153f40ce9ce400e59bce70dcee7b4ef2473e2cb11589b21905cecfad919107d2fa76dc73605326feb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
00e7da020005370a518c26d5deb40691

SHA1
389b34fdb01997f1de74a5a2be0ff656280c0432

SHA256
a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

SHA512
9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d336b18e0e02e045650ac4f24c7ecaa7

SHA1
87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

SHA256
87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

SHA512
e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
02a1a26525c65a359d41483180eaa6f7

SHA1
c0e2578b92d20e925c1c87016d1a9fccee1ec56f

SHA256
d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e

SHA512
d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
7ff9440dc25523a288d278b38add13a1

SHA1
d67faf5afe85cacd9d816349f17ded3686ecf1a7

SHA256
ac518124d3bd39440bfba66739f8fab57ff82ea778f707ea2c902b29efde0ee0

SHA512
7116fcf6760a69efebfbffeba5abcfef903cc8647e142117023e022bb34c5fe6d1a35c727faab1e6d6505b2bd69689cf52f8ecef5253ca12d99d425021799911

Download Submit
memory/936-142-0x0000000000000000-mapping.dmp

Download
memory/1116-132-0x000001B3F4900000-0x000001B3F4922000-memory.dmp

Filesize
136KB

Download
memory/1116-151-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/1116-134-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/1116-133-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/1348-145-0x0000000000000000-mapping.dmp

Download
memory/2016-140-0x0000000000000000-mapping.dmp

Download
memory/2176-163-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/2176-160-0x0000000000500000-0x000000000053A000-memory.dmp

Filesize
232KB

Download
memory/2176-166-0x0000000006300000-0x000000000630A000-memory.dmp

Filesize
40KB

Download
memory/2176-165-0x0000000006320000-0x00000000063B2000-memory.dmp

Filesize
584KB

Download
memory/2176-162-0x0000000004BC0000-0x0000000004C5C000-memory.dmp

Filesize
624KB

Download
memory/2176-161-0x0000000005170000-0x0000000005714000-memory.dmp

Filesize
5.6MB

Download
memory/2176-155-0x0000000000435A0E-mapping.dmp

Download
memory/2176-164-0x0000000005DA0000-0x0000000005DF0000-memory.dmp

Filesize
320KB

Download
memory/2580-143-0x0000000000000000-mapping.dmp

Download
memory/4164-153-0x000001E6505D0000-0x000001E6505EA000-memory.dmp

Filesize
104KB

Download
memory/4164-157-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4164-152-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4164-146-0x0000000000000000-mapping.dmp

Download
memory/4384-138-0x0000000000000000-mapping.dmp

Download
memory/4724-135-0x0000000000000000-mapping.dmp

Download
memory/4724-137-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4724-147-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4952-159-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4952-144-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads