agenttesla | e0de15aa0a50a7d2b5032198743c13e8b66118949a18f93f685786b37b7eb4e3

General

Target

PI#102087.exe
Size

651KB
MD5

505852f2cd67a14131d2d6e927d92889
SHA1

a7062897a84533c30705eb6667d352c78a43b9f6
SHA256

8e6fe812e3f4a19a51a0978e9c47e2cdb891f1feecb0a7ae2c1eff744c971371
SHA512

49709821545b0fb4e7c12ebee2382258def6f5ad9025c91d1ce28bd02b961d8f7c0aed47d2d1a866d5636643d9f13e5a561c872e06e758af2f2f148180bd7585
SSDEEP

12288:sFTYIvM3zrbETClyHskFgFwIyXCDmVRSmMSwOQkL7AiGSdrZOOP55U9smC7B4s:6dU376CoskFgqIyXxv/kiPpZFbU9smCr

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.strictfacilityservices.com
Port:
587
Username:
[email protected]
Password:
SFS!@#321
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

PI#102087.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PI#102087.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PI#102087.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PI#102087.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

PI#102087.exe

description pid process target process

PID 1704 set thread context of 1716 1704 PI#102087.exe PI#102087.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

772 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

PI#102087.exe

pid process

1716 PI#102087.exe
1716 PI#102087.exe
1716 PI#102087.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PI#102087.exePI#102087.exe

description pid process

Token: SeDebugPrivilege 1704 PI#102087.exe
Token: SeDebugPrivilege 1716 PI#102087.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PI#102087.exe

pid process

1716 PI#102087.exe

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 1704 set thread context of 1716	1704	PI#102087.exe	PI#102087.exe

pid	process
772	schtasks.exe

pid	process
1716	PI#102087.exe
1716	PI#102087.exe
1716	PI#102087.exe

description	pid	process
Token: SeDebugPrivilege	1704	PI#102087.exe
Token: SeDebugPrivilege	1716	PI#102087.exe

pid	process
1716	PI#102087.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

PI#102087.exe

description	pid	process	target process
PID 1704 wrote to memory of 772	1704	PI#102087.exe	schtasks.exe
PID 1704 wrote to memory of 772	1704	PI#102087.exe	schtasks.exe
PID 1704 wrote to memory of 772	1704	PI#102087.exe	schtasks.exe
PID 1704 wrote to memory of 772	1704	PI#102087.exe	schtasks.exe
PID 1704 wrote to memory of 1716	1704	PI#102087.exe	PI#102087.exe
PID 1704 wrote to memory of 1716	1704	PI#102087.exe	PI#102087.exe
PID 1704 wrote to memory of 1716	1704	PI#102087.exe	PI#102087.exe
PID 1704 wrote to memory of 1716	1704	PI#102087.exe	PI#102087.exe
PID 1704 wrote to memory of 1716	1704	PI#102087.exe	PI#102087.exe
PID 1704 wrote to memory of 1716	1704	PI#102087.exe	PI#102087.exe
PID 1704 wrote to memory of 1716	1704	PI#102087.exe	PI#102087.exe
PID 1704 wrote to memory of 1716	1704	PI#102087.exe	PI#102087.exe
PID 1704 wrote to memory of 1716	1704	PI#102087.exe	PI#102087.exe

outlook_office_path 1 IoCs

Processes:

PI#102087.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PI#102087.exe

outlook_win_path 1 IoCs

Processes:

PI#102087.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PI#102087.exe

C:\Users\Admin\AppData\Local\Temp\PI#102087.exe
"C:\Users\Admin\AppData\Local\Temp\PI#102087.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZqcivZeoGSZA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB0BA.tmp"
2⤵
- Creates scheduled task(s)
PID:772

C:\Users\Admin\AppData\Local\Temp\PI#102087.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB0BA.tmp

Filesize
1KB

MD5
84a4c8f1858c283b4a1b22d4083c4394

SHA1
3742b5b5b1ee73eca8a7fd551eb1ef312bb64481

SHA256
ae2c146d93fc534a504f8bfd8ca759694372a09c7ee3aee90210734cd8cc6c7c

SHA512
b54d9bff5719d6fd2d36781803aae49a33ac5db07773068374e354fe0ee93468e35d679e05e2d48ac84cff38904fab2d69bd1f3f328bef942e91b8f3c2fd5259

Download Submit
memory/772-59-0x0000000000000000-mapping.dmp

Download
memory/1704-57-0x0000000000AA0000-0x0000000000B22000-memory.dmp

Filesize
520KB

Download
memory/1704-54-0x00000000009F0000-0x0000000000A98000-memory.dmp

Filesize
672KB

Download
memory/1704-58-0x0000000004A50000-0x0000000004A8C000-memory.dmp

Filesize
240KB

Download
memory/1704-56-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1704-55-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1716-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-67-0x0000000000437B9E-mapping.dmp

Download
memory/1716-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads