agenttesla | c0944f847ff90ba9cf6ddb5cc5dfd895dca2d763123385677ff4ff3445a2549d

Analysis

max time kernel
66s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG17613.exe
Size

1.2MB
MD5

bcd50df1014ab4d7c735c6e5347c3a1e
SHA1

8e77d53b6388116cafcf49d3b2777ca1dcfe0d1a
SHA256

2e64e9db47d38ba509cdd4ca9b9ca2a589c9834ac2bde1d8a6e4ea89bbc47fa6
SHA512

04194528a02dd65810500977b1326c33bb57d716f72b78c128ff865223271a4543d0ef4d69fd2c3b3a8e8195391d2374c81ddf517d55b76e790d49aab10cdaed
SSDEEP

24576:pAOcZT+NxxX3ENpR8SlcRDC14DS8BaCZ73QqQ5SOb2eYzf:DRQYSlcNNS8BBbJNzf

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
280	nruluikqa.exe
1740	RegSvcs.exe

Loads dropped DLL 2 IoCs

pid	Process
1332	WScript.exe
280	nruluikqa.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	nruluikqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windowsate = "0\\3_26\\nruluikqa.exe 0\\3_26\\fbjdqgwu.ktp"	nruluikqa.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 280 set thread context of 1740	280	nruluikqa.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1740	RegSvcs.exe
1740	RegSvcs.exe
1740	RegSvcs.exe
1740	RegSvcs.exe
1740	RegSvcs.exe
1740	RegSvcs.exe
1740	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1740	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1332	1600	IMG17613.exe	27
PID 1600 wrote to memory of 1332	1600	IMG17613.exe	27
PID 1600 wrote to memory of 1332	1600	IMG17613.exe	27
PID 1600 wrote to memory of 1332	1600	IMG17613.exe	27
PID 1332 wrote to memory of 280	1332	WScript.exe	28
PID 1332 wrote to memory of 280	1332	WScript.exe	28
PID 1332 wrote to memory of 280	1332	WScript.exe	28
PID 1332 wrote to memory of 280	1332	WScript.exe	28
PID 280 wrote to memory of 1740	280	nruluikqa.exe	29
PID 280 wrote to memory of 1740	280	nruluikqa.exe	29
PID 280 wrote to memory of 1740	280	nruluikqa.exe	29
PID 280 wrote to memory of 1740	280	nruluikqa.exe	29
PID 280 wrote to memory of 1740	280	nruluikqa.exe	29
PID 280 wrote to memory of 1740	280	nruluikqa.exe	29
PID 280 wrote to memory of 1740	280	nruluikqa.exe	29
PID 280 wrote to memory of 1740	280	nruluikqa.exe	29
PID 280 wrote to memory of 1740	280	nruluikqa.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\IMG17613.exe
"C:\Users\Admin\AppData\Local\Temp\IMG17613.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\3_26\osjutmj.vbe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\3_26\nruluikqa.exe
    "C:\Users\Admin\AppData\Local\Temp\3_26\nruluikqa.exe" fbjdqgwu.ktp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:280
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3_26\fbjdqgwu.ktp

Filesize
167.5MB

MD5
6401a6dcb3aeaa5afa29bdd81792ecc2

SHA1
fec29cf91bdb766f2509c856ad76be13d1c79d88

SHA256
55d164c14921cc946afc39d537e881ead2c35a111a938d23898ee70296dc8a4e

SHA512
e74a1f50b6ff951e4dfcbdf30d8da537107bf2b8a4d70346e6f4a0b716d11e61687e7b91352916694fddf737f8819a2575cdcd71f213a4bcf9381a4d19b2a819

Download Submit
C:\Users\Admin\AppData\Local\Temp\3_26\gamdisqvxt.log

Filesize
50KB

MD5
74e7d9c4151845a85593f721021d2058

SHA1
13eca87a11be1fd9f3a35365ddd771b912462b6b

SHA256
9e6d9f29ef6c6edae6d11a44e3315f94c5c350a64511a5d5af3bffebceff18c0

SHA512
7aef27808bdd598c797fa26c2ce602d4c601a72c2713b9b476e8f56e087819097747e3b2a54b59c5f57e496ec9ff2687d80675a91076af9ae369a629b993df65

Download Submit
C:\Users\Admin\AppData\Local\Temp\3_26\nruluikqa.exe

Filesize
1.4MB

MD5
be509bf8276f9126a33cfd4ae96af87d

SHA1
d01e9c048f3d444d1d393a245350473ac1e0ad45

SHA256
7f8bfd84ab6926d49cd8257358ac342f9d0a4709a391279f8d51f1d97e092e99

SHA512
0ac438ed1aba56c9633225e0966f6e1c4f94c756bc6dcea9dc8ceae8a690b66f399f08fc32f40539f7f454dce8a15f7ee87fc3f9be3e68f9bed1b84a4bd6139c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3_26\nruluikqa.exe

Filesize
1.4MB

MD5
be509bf8276f9126a33cfd4ae96af87d

SHA1
d01e9c048f3d444d1d393a245350473ac1e0ad45

SHA256
7f8bfd84ab6926d49cd8257358ac342f9d0a4709a391279f8d51f1d97e092e99

SHA512
0ac438ed1aba56c9633225e0966f6e1c4f94c756bc6dcea9dc8ceae8a690b66f399f08fc32f40539f7f454dce8a15f7ee87fc3f9be3e68f9bed1b84a4bd6139c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3_26\qrfac.lme

Filesize
436KB

MD5
6538dcf07b2fd6ca5a1f0c05e47098d5

SHA1
466c428cb4343d9ed8d2f0812f3faa280f770077

SHA256
1eeb1df648e7d5bdce0c85053607386c5a5c87c91e9291dd129965cbf4488b67

SHA512
44c496c86b66ebc83c34e2c12fe1449aaff07273e1353cb07fc4e7e2cfee42f96c099483b27981e3df25ed616a9d32cb5686b24b085dcd7db97d3874e856ff02

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\temp\3_26\osjutmj.vbe

Filesize
33KB

MD5
02f84dc637aa9058d08a27671ab7a579

SHA1
036ce5094c6f30adf5167768f15debb4be8f367c

SHA256
04675271a055112e6d3427da8d17c547110e9ea8d24b6b4414ec87a82455f53e

SHA512
cfd316dcea9f783ef4f9611320295d6f32cab7bbb69e68c14ea12bc710af2cd6687ee0dc494fb3940250728ea76c0d5cf164d937944be324ef9cf6ab9f7d1398

Download Submit
\Users\Admin\AppData\Local\Temp\3_26\nruluikqa.exe

Filesize
1.4MB

MD5
be509bf8276f9126a33cfd4ae96af87d

SHA1
d01e9c048f3d444d1d393a245350473ac1e0ad45

SHA256
7f8bfd84ab6926d49cd8257358ac342f9d0a4709a391279f8d51f1d97e092e99

SHA512
0ac438ed1aba56c9633225e0966f6e1c4f94c756bc6dcea9dc8ceae8a690b66f399f08fc32f40539f7f454dce8a15f7ee87fc3f9be3e68f9bed1b84a4bd6139c

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1740-67-0x0000000000460000-0x0000000000A9A000-memory.dmp

Filesize
6.2MB

Download
memory/1740-69-0x0000000000460000-0x0000000000A9A000-memory.dmp

Filesize
6.2MB

Download
memory/1740-73-0x0000000000460000-0x0000000000A9A000-memory.dmp

Filesize
6.2MB

Download
memory/1740-75-0x0000000000460000-0x0000000000A9A000-memory.dmp

Filesize
6.2MB

Download
memory/1740-77-0x0000000000460000-0x000000000049C000-memory.dmp

Filesize
240KB

Download