agenttesla | 6713a526ffb1f9608dfb3769e696aff9908b0fc018447639c94c71f46dfe7ebe

Analysis

max time kernel
55s
max time network
118s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
08/10/2022, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6713a526ffb1f9608dfb3769e696aff9908b0fc018447639c94c71f46dfe7ebe.exe
Size

512KB
MD5

32acba7de5b9787e4e4b90b9b66b4918
SHA1

206479b671e649c26c2e25dfafe3d7a8662407d5
SHA256

6713a526ffb1f9608dfb3769e696aff9908b0fc018447639c94c71f46dfe7ebe
SHA512

20eb9460c6d46e5e3f6e8e0de98ed7dc301b7a72428ddcc05587b3fa250d82fad53a20a265367c340d7ae4a73d3007055afa0218f1c1622bc8867eda0f3ca1f3
SSDEEP

12288:oNSAlgqypGV/e/G7Gi2GrQJQx9Lnc+TU6yNViy:oNnlgqy0V/e41UJM9LncR6yNYy

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Golddigger147

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 1 IoCs

pid	Process
3996	rguew.exe

Loads dropped DLL 1 IoCs

pid	Process
1908	rguew.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rguew.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rguew.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rguew.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\qLekEzs = "C:\\Users\\Admin\\AppData\\Roaming\\qLekEzs\\qLekEzs.exe"	rguew.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3996 set thread context of 1908	3996	rguew.exe	67

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1908	rguew.exe
1908	rguew.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	rguew.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1908	rguew.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3996	1968	6713a526ffb1f9608dfb3769e696aff9908b0fc018447639c94c71f46dfe7ebe.exe	66
PID 1968 wrote to memory of 3996	1968	6713a526ffb1f9608dfb3769e696aff9908b0fc018447639c94c71f46dfe7ebe.exe	66
PID 1968 wrote to memory of 3996	1968	6713a526ffb1f9608dfb3769e696aff9908b0fc018447639c94c71f46dfe7ebe.exe	66
PID 3996 wrote to memory of 1908	3996	rguew.exe	67
PID 3996 wrote to memory of 1908	3996	rguew.exe	67
PID 3996 wrote to memory of 1908	3996	rguew.exe	67
PID 3996 wrote to memory of 1908	3996	rguew.exe	67

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rguew.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rguew.exe

C:\Users\Admin\AppData\Local\Temp\6713a526ffb1f9608dfb3769e696aff9908b0fc018447639c94c71f46dfe7ebe.exe
"C:\Users\Admin\AppData\Local\Temp\6713a526ffb1f9608dfb3769e696aff9908b0fc018447639c94c71f46dfe7ebe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\rguew.exe
  "C:\Users\Admin\AppData\Local\Temp\rguew.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Users\Admin\AppData\Local\Temp\rguew.exe
    "C:\Users\Admin\AppData\Local\Temp\rguew.exe"
    3⤵
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dgqhzgy.tib

Filesize
287KB

MD5
0527bd6614a1d0d215f2ff1e021559de

SHA1
c374abe204aeb1a6bcd34485cb1d3eebae33d9d6

SHA256
bc91a452a0e64338d002f18c99acdb758936d10284bf025630a57857a14d5588

SHA512
ff431163aaa81693e10cc46b4a82eb4ad214945d6b1f1b701d25b903b89baea474ad373ad63a6cec351308525bef01379dff917079d5985b58557dd610f44a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\rguew.exe

Filesize
73KB

MD5
c3fa6b5e978b218f1dd5c554cf68c5fc

SHA1
a31ab0fa508e0fe8cc58a9e30aba60f810652614

SHA256
2c5032bb923c9e5cc554e887c6ff505d1796cf0635f4213a4a8e3625f3c5731e

SHA512
a9de7f51009ae02203da3bc97671f695e24ef64025d1095b0279bab963129c1f624f8314efbeaf7a1b9183c0a311364d051e28d8d92217fad10a66be75f97791

Download Submit
C:\Users\Admin\AppData\Local\Temp\rguew.exe

Filesize
73KB

MD5
c3fa6b5e978b218f1dd5c554cf68c5fc

SHA1
a31ab0fa508e0fe8cc58a9e30aba60f810652614

SHA256
2c5032bb923c9e5cc554e887c6ff505d1796cf0635f4213a4a8e3625f3c5731e

SHA512
a9de7f51009ae02203da3bc97671f695e24ef64025d1095b0279bab963129c1f624f8314efbeaf7a1b9183c0a311364d051e28d8d92217fad10a66be75f97791

Download Submit
C:\Users\Admin\AppData\Local\Temp\rguew.exe

Filesize
73KB

MD5
c3fa6b5e978b218f1dd5c554cf68c5fc

SHA1
a31ab0fa508e0fe8cc58a9e30aba60f810652614

SHA256
2c5032bb923c9e5cc554e887c6ff505d1796cf0635f4213a4a8e3625f3c5731e

SHA512
a9de7f51009ae02203da3bc97671f695e24ef64025d1095b0279bab963129c1f624f8314efbeaf7a1b9183c0a311364d051e28d8d92217fad10a66be75f97791

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnqnqa.uu

Filesize
4KB

MD5
ae49b1535222ef3419fdda6350043525

SHA1
0a651d4e2be4c8573d3fb7a98c1d586742827053

SHA256
9476d63552425ce68374f86c88f985b299e44155fee130520b64cb2f0b9ac0b2

SHA512
6353f0b13e93c1cb331b2deb9b1510af2ad71625037c71b08b334c44bedf59dbc1e36b2e288dd713dec1360f1a35f92f15382613ff30e17485515103e37d0bf2

Download Submit
memory/1908-291-0x0000000006840000-0x00000000068D2000-memory.dmp

Filesize
584KB

Download
memory/1908-293-0x00000000067F0000-0x00000000067FA000-memory.dmp

Filesize
40KB

Download
memory/1908-268-0x0000000006030000-0x0000000006096000-memory.dmp

Filesize
408KB

Download
memory/1908-266-0x0000000005F80000-0x0000000005F98000-memory.dmp

Filesize
96KB

Download
memory/1908-254-0x0000000005210000-0x00000000052AC000-memory.dmp

Filesize
624KB

Download
memory/1908-245-0x0000000005630000-0x0000000005B2E000-memory.dmp

Filesize
5.0MB

Download
memory/1908-242-0x0000000002C30000-0x0000000002C6A000-memory.dmp

Filesize
232KB

Download
memory/1968-149-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-158-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-126-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-127-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-128-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-129-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-130-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-131-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-132-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-133-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-134-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-135-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-136-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-137-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-138-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-139-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-140-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-141-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-142-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-143-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-144-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-145-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-146-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-147-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-148-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-124-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-150-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-151-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-152-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-153-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-154-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-155-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-156-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-125-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-157-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-116-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-117-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-118-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-119-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-120-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-121-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-122-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-123-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-178-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-168-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-171-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-172-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-173-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-174-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-175-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-176-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-177-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-166-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-170-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-169-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-179-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-165-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-164-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-163-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-162-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-161-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-180-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-181-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-182-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download