agenttesla | d29075d85d60a21f86b7ac67c4dcf41ca46a96b208681b3f3486d07182ec620a

General

Target

vbc.exe
Size

858KB
MD5

7fb9b2d5837ba9d8b7ea0ad5d75f4c7e
SHA1

82964b5e19f148755650d2ed0acfa6c74b6b9c6e
SHA256

d29075d85d60a21f86b7ac67c4dcf41ca46a96b208681b3f3486d07182ec620a
SHA512

d0f7c55e2f3ea8b11e7f258afa8006719ad5476b5eb82d2e3278847ab4883186a88954cde38b6c8b4f63b383db16ba2dc2a61364fff3e31d02bbb240bd8ed777
SSDEEP

12288:huhWHStbpxyNzXkoyhjDZbhqLY9c1IDf56F1KbMUhllldGl0u4:0UHXcnaYNj5qGPvjx

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
snakelogs@yandex.com
Password:
tqzwrcdhriqzrjyb

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
snakelogs@yandex.com
Password:
tqzwrcdhriqzrjyb

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CasPol.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\rgsyd = "C:\\Users\\Admin\\AppData\\Roaming\\rgsyd\\rgsyd.exe"	CasPol.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1284 set thread context of 1064 1284 vbc.exe CasPol.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

588 1284 WerFault.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CasPol.exe

pid process

1064 CasPol.exe
1064 CasPol.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CasPol.exe

description pid process

Token: SeDebugPrivilege 1064 CasPol.exe

flow	ioc
3	api.ipify.org
4	api.ipify.org

description	pid	process	target process
PID 1284 set thread context of 1064	1284	vbc.exe	CasPol.exe

pid	pid_target	process	target process
588	1284	WerFault.exe	vbc.exe

pid	process
1064	CasPol.exe
1064	CasPol.exe

description	pid	process
Token: SeDebugPrivilege	1064	CasPol.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

vbc.exe

description	pid	process	target process
PID 1284 wrote to memory of 1064	1284	vbc.exe	CasPol.exe
PID 1284 wrote to memory of 1064	1284	vbc.exe	CasPol.exe
PID 1284 wrote to memory of 1064	1284	vbc.exe	CasPol.exe
PID 1284 wrote to memory of 1064	1284	vbc.exe	CasPol.exe
PID 1284 wrote to memory of 1064	1284	vbc.exe	CasPol.exe
PID 1284 wrote to memory of 1064	1284	vbc.exe	CasPol.exe
PID 1284 wrote to memory of 1064	1284	vbc.exe	CasPol.exe
PID 1284 wrote to memory of 1064	1284	vbc.exe	CasPol.exe
PID 1284 wrote to memory of 1064	1284	vbc.exe	CasPol.exe
PID 1284 wrote to memory of 588	1284	vbc.exe	WerFault.exe
PID 1284 wrote to memory of 588	1284	vbc.exe	WerFault.exe
PID 1284 wrote to memory of 588	1284	vbc.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe

outlook_win_path 1 IoCs

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1064

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1284 -s 760
2⤵
- Program crash
PID:588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-64-0x0000000000000000-mapping.dmp

Download
memory/1064-58-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1064-59-0x0000000000437BEE-mapping.dmp

Download
memory/1064-61-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1064-63-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1064-65-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1284-54-0x0000000000BB0000-0x0000000000C8A000-memory.dmp

Filesize
872KB

Download
memory/1284-55-0x000000001AE70000-0x000000001AF1C000-memory.dmp

Filesize
688KB

Download
memory/1284-56-0x000000001B2F0000-0x000000001B39A000-memory.dmp

Filesize
680KB

Download
memory/1284-57-0x000000001B3A0000-0x000000001B446000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads