agenttesla | 1934d67c56986a33cc6a786899f4bca45886ef7ddcb1abcab4a8061e0abe1a5d

General

Target

TNT Invoice_pdf.exe
Size

404KB
MD5

f80abe76555b4a785cc99f5c28b005c2
SHA1

85748a350dc49454ff17845fd8275d065bc73229
SHA256

1934d67c56986a33cc6a786899f4bca45886ef7ddcb1abcab4a8061e0abe1a5d
SHA512

f415e6df708bed4fd7dbc443c13f23381cf1bc256d8f82922cbcb653fe131f000cbb38a207c032961673d6f8aab796e0e83f46899c5067ddecc28ced9ccdc9ae
SSDEEP

6144:LBnb2khrC61MSvEufUEWS+jahhoaU0HEpah8yLAw2QA8ffkXF9Lq3IXxjnGi/He4:FnhSoU3jahhvTHCe8Ad2QA8iTqexH+/g

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5731015181:AAEnN7QEEeN_fBCr0YFv_H7lrNpKS_lkspI/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

xzkhybrawk.exexzkhybrawk.exe

pid process

1912 xzkhybrawk.exe
1728 xzkhybrawk.exe
Loads dropped DLL 2 IoCs

Processes:

TNT Invoice_pdf.exexzkhybrawk.exe

pid process

1980 TNT Invoice_pdf.exe
1912 xzkhybrawk.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1912	xzkhybrawk.exe
1728	xzkhybrawk.exe

pid	process
1980	TNT Invoice_pdf.exe
1912	xzkhybrawk.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

xzkhybrawk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xzkhybrawk.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xzkhybrawk.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xzkhybrawk.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

xzkhybrawk.exe

description pid process target process

PID 1912 set thread context of 1728 1912 xzkhybrawk.exe xzkhybrawk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

xzkhybrawk.exe

pid process

1728 xzkhybrawk.exe
1728 xzkhybrawk.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

xzkhybrawk.exe

pid process

1912 xzkhybrawk.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

xzkhybrawk.exe

description pid process

Token: SeDebugPrivilege 1728 xzkhybrawk.exe

description	pid	process	target process
PID 1912 set thread context of 1728	1912	xzkhybrawk.exe	xzkhybrawk.exe

pid	process
1728	xzkhybrawk.exe
1728	xzkhybrawk.exe

pid	process
1912	xzkhybrawk.exe

description	pid	process
Token: SeDebugPrivilege	1728	xzkhybrawk.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

TNT Invoice_pdf.exexzkhybrawk.exe

description	pid	process	target process
PID 1980 wrote to memory of 1912	1980	TNT Invoice_pdf.exe	xzkhybrawk.exe
PID 1980 wrote to memory of 1912	1980	TNT Invoice_pdf.exe	xzkhybrawk.exe
PID 1980 wrote to memory of 1912	1980	TNT Invoice_pdf.exe	xzkhybrawk.exe
PID 1980 wrote to memory of 1912	1980	TNT Invoice_pdf.exe	xzkhybrawk.exe
PID 1912 wrote to memory of 1728	1912	xzkhybrawk.exe	xzkhybrawk.exe
PID 1912 wrote to memory of 1728	1912	xzkhybrawk.exe	xzkhybrawk.exe
PID 1912 wrote to memory of 1728	1912	xzkhybrawk.exe	xzkhybrawk.exe
PID 1912 wrote to memory of 1728	1912	xzkhybrawk.exe	xzkhybrawk.exe
PID 1912 wrote to memory of 1728	1912	xzkhybrawk.exe	xzkhybrawk.exe

outlook_office_path 1 IoCs

Processes:

xzkhybrawk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xzkhybrawk.exe

outlook_win_path 1 IoCs

Processes:

xzkhybrawk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xzkhybrawk.exe

C:\Users\Admin\AppData\Local\Temp\TNT Invoice_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\TNT Invoice_pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe
"C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe" C:\Users\Admin\AppData\Local\Temp\huqqriwxdjn.y
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe
"C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe" C:\Users\Admin\AppData\Local\Temp\huqqriwxdjn.y
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fintvl.cso

Filesize
288KB

MD5
06298aaabe372084a429add9f52054e1

SHA1
3f52f836ab3e5e76fdb6f4c19e972df228472b21

SHA256
c5ba2eb05b69349322b2042f27aba5b07434c0d449a6bd615b0377e4eeb55ced

SHA512
4399bbfe2cee91edac8b4b9b8fc3c9efe09dbe76634c7c2a104cec73ac126811170315c1aab6114bac6d04e98d67b83103251b9dffa3b8a84907e970e0587cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\huqqriwxdjn.y

Filesize
5KB

MD5
f975df753ad36f4aee598c366981762e

SHA1
4f7302948b9b176a3c05fa78c7a686e1b5b81385

SHA256
81b0fcb44fc085b308e1d8524a8aef006d01167b7abfb6d21b0ae944dc720472

SHA512
460b20ea12bd9a5de8c903ea80c434f6cbb45b1eb3dcb74cfac23f602aaba98c01fb124dc70763cdcf9ab95e576601159f6a75dad140a5cb52f1c0915f1659be

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe

Filesize
332KB

MD5
2f3fd047aa9f8e88453b01257959a6da

SHA1
fe779bb56fef1be106d893da223e8dd611469c6f

SHA256
79d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b

SHA512
42dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe

Filesize
332KB

MD5
2f3fd047aa9f8e88453b01257959a6da

SHA1
fe779bb56fef1be106d893da223e8dd611469c6f

SHA256
79d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b

SHA512
42dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe

Filesize
332KB

MD5
2f3fd047aa9f8e88453b01257959a6da

SHA1
fe779bb56fef1be106d893da223e8dd611469c6f

SHA256
79d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b

SHA512
42dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50

Download Submit
\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe

Filesize
332KB

MD5
2f3fd047aa9f8e88453b01257959a6da

SHA1
fe779bb56fef1be106d893da223e8dd611469c6f

SHA256
79d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b

SHA512
42dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50

Download Submit
\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe

Filesize
332KB

MD5
2f3fd047aa9f8e88453b01257959a6da

SHA1
fe779bb56fef1be106d893da223e8dd611469c6f

SHA256
79d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b

SHA512
42dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50

Download Submit
memory/1728-63-0x0000000000401896-mapping.dmp

Download
memory/1728-66-0x0000000004480000-0x00000000044BA000-memory.dmp

Filesize
232KB

Download
memory/1728-67-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1912-56-0x0000000000000000-mapping.dmp

Download
memory/1980-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads