agenttesla | d8d32922ddd6305ce4acc9c970e0a6d1c5866d344496be1620498ea035e9baf7

Analysis

max time kernel
148s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG1128061077.exe
Size

1.1MB
MD5

c2f09ea4f30b3487f2361cf37732191f
SHA1

a437c48bb287e6a5f86aa83165c3720b7431f6e7
SHA256

d8d32922ddd6305ce4acc9c970e0a6d1c5866d344496be1620498ea035e9baf7
SHA512

0dd4a64880ec25c0ddd45447cc3a5c55854cc68ecf873f76b7785328dfcc0c6e8511640b153badba15097f71257f0b68945fe64af43b70d2de48d74d24c3aa4a
SSDEEP

24576:LAOcZXMu15QjEBv0BbJswG5cFu4KnmdMLFspB6Q7CqFHd:Nc5QjEBv0BWd5c4nmdMLE8Q77

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

http://107.189.4.253/zipone/inc/10c5bcaaef047d.php

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 3 IoCs

Processes:

sndkbhuie.exeFB_5AAE.tmp.exeFB_64B1.tmp.exe

pid process

1744 sndkbhuie.exe
5060 FB_5AAE.tmp.exe
3696 FB_64B1.tmp.exe

pid	process
1744	sndkbhuie.exe
5060	FB_5AAE.tmp.exe
3696	FB_64B1.tmp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IMG1128061077.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	IMG1128061077.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

FB_5AAE.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_5AAE.tmp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_5AAE.tmp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_5AAE.tmp.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

51 api.ipify.org
52 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

sndkbhuie.exe

description pid process target process

PID 1744 set thread context of 4568 1744 sndkbhuie.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1104 schtasks.exe

flow	ioc
51	api.ipify.org
52	api.ipify.org

description	pid	process	target process
PID 1744 set thread context of 4568	1744	sndkbhuie.exe	RegSvcs.exe

pid	process
1104	schtasks.exe

Modifies registry class 2 IoCs

Processes:

IMG1128061077.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	IMG1128061077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

sndkbhuie.exeFB_5AAE.tmp.exe

pid process

1744 sndkbhuie.exe
1744 sndkbhuie.exe
1744 sndkbhuie.exe
1744 sndkbhuie.exe
5060 FB_5AAE.tmp.exe
5060 FB_5AAE.tmp.exe
5060 FB_5AAE.tmp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

FB_5AAE.tmp.exe

description pid process

Token: SeDebugPrivilege 5060 FB_5AAE.tmp.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

FB_5AAE.tmp.exe

pid process

5060 FB_5AAE.tmp.exe

pid	process
1744	sndkbhuie.exe
1744	sndkbhuie.exe
1744	sndkbhuie.exe
1744	sndkbhuie.exe
5060	FB_5AAE.tmp.exe
5060	FB_5AAE.tmp.exe
5060	FB_5AAE.tmp.exe

description	pid	process
Token: SeDebugPrivilege	5060	FB_5AAE.tmp.exe

pid	process
5060	FB_5AAE.tmp.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

IMG1128061077.exeWScript.exesndkbhuie.exeRegSvcs.exeFB_64B1.tmp.execmd.exe

description	pid	process	target process
PID 4892 wrote to memory of 4772	4892	IMG1128061077.exe	WScript.exe
PID 4892 wrote to memory of 4772	4892	IMG1128061077.exe	WScript.exe
PID 4892 wrote to memory of 4772	4892	IMG1128061077.exe	WScript.exe
PID 4772 wrote to memory of 1744	4772	WScript.exe	sndkbhuie.exe
PID 4772 wrote to memory of 1744	4772	WScript.exe	sndkbhuie.exe
PID 4772 wrote to memory of 1744	4772	WScript.exe	sndkbhuie.exe
PID 1744 wrote to memory of 4304	1744	sndkbhuie.exe	RegSvcs.exe
PID 1744 wrote to memory of 4304	1744	sndkbhuie.exe	RegSvcs.exe
PID 1744 wrote to memory of 4304	1744	sndkbhuie.exe	RegSvcs.exe
PID 1744 wrote to memory of 4568	1744	sndkbhuie.exe	RegSvcs.exe
PID 1744 wrote to memory of 4568	1744	sndkbhuie.exe	RegSvcs.exe
PID 1744 wrote to memory of 4568	1744	sndkbhuie.exe	RegSvcs.exe
PID 1744 wrote to memory of 4568	1744	sndkbhuie.exe	RegSvcs.exe
PID 1744 wrote to memory of 4568	1744	sndkbhuie.exe	RegSvcs.exe
PID 1744 wrote to memory of 4568	1744	sndkbhuie.exe	RegSvcs.exe
PID 1744 wrote to memory of 4568	1744	sndkbhuie.exe	RegSvcs.exe
PID 1744 wrote to memory of 4568	1744	sndkbhuie.exe	RegSvcs.exe
PID 1744 wrote to memory of 4568	1744	sndkbhuie.exe	RegSvcs.exe
PID 4568 wrote to memory of 5060	4568	RegSvcs.exe	FB_5AAE.tmp.exe
PID 4568 wrote to memory of 5060	4568	RegSvcs.exe	FB_5AAE.tmp.exe
PID 4568 wrote to memory of 5060	4568	RegSvcs.exe	FB_5AAE.tmp.exe
PID 4568 wrote to memory of 3696	4568	RegSvcs.exe	FB_64B1.tmp.exe
PID 4568 wrote to memory of 3696	4568	RegSvcs.exe	FB_64B1.tmp.exe
PID 3696 wrote to memory of 2084	3696	FB_64B1.tmp.exe	cmd.exe
PID 3696 wrote to memory of 2084	3696	FB_64B1.tmp.exe	cmd.exe
PID 2084 wrote to memory of 1104	2084	cmd.exe	schtasks.exe
PID 2084 wrote to memory of 1104	2084	cmd.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

FB_5AAE.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_5AAE.tmp.exe

outlook_win_path 1 IoCs

Processes:

FB_5AAE.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FB_5AAE.tmp.exe

C:\Users\Admin\AppData\Local\Temp\IMG1128061077.exe
"C:\Users\Admin\AppData\Local\Temp\IMG1128061077.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\1_21\uxrdgkv.vbe"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Local\Temp\1_21\sndkbhuie.exe
"C:\Users\Admin\AppData\Local\Temp\1_21\sndkbhuie.exe" orwbi.ppt
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:4304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Local\Temp\FB_5AAE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_5AAE.tmp.exe"
5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:5060

C:\Users\Admin\AppData\Local\Temp\FB_64B1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_64B1.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C schtasks /create /tn \oflgwXquKB /tr "C:\Users\Admin\AppData\Roaming\oflgwXquKB\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
6⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\system32\schtasks.exe
schtasks /create /tn \oflgwXquKB /tr "C:\Users\Admin\AppData\Roaming\oflgwXquKB\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
7⤵
- Creates scheduled task(s)
PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1_21\CCADCU~1.UFP

Filesize
486KB

MD5
e6fd501f926b13ffa3cf669b60f1bcac

SHA1
d0d935706fafb13b30a93172c87d000f9efaa593

SHA256
4e48e4af0178e6020e3d8465ca68a21f2958d4914157156302e8fc18b7d3cf89

SHA512
4145c0d33a4693bccb471a5efdc32958744b02772a94e0c1a7cedd308ec03ecd3a20615ba745098c5acbd4e5fd741ee510d22c5fd43c3c352e69bd6a6611087b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_21\dsjunpjk.bmp

Filesize
51KB

MD5
53f00d0add15553ead58f5ab8cc05d9f

SHA1
e550349e19a1823260b46b1b28d95be038d6c94a

SHA256
80ed3fce8096743b3bb9f205902749a416b5b0eb04e3ff2b9a97b828bfbeb494

SHA512
b150e3dcf66c7ed9dc61c5d9d48c1d301d762c1155ec6b2daabe07460278fe99d68b9658939245712106cc96f5b8e343b89d1a1b42953ed8846d47ec8334c77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_21\orwbi.ppt

Filesize
113.8MB

MD5
94bb251b657d443554dd19416b71b584

SHA1
3f43434b318ef7582a20b13dad318f8ae614b7ad

SHA256
47b1ec135cfb4aea677b757edd41b537b92a1673d73ffe030251b72a86778286

SHA512
07eaad95344e6fa0d90a12eb3fff770d00147ebdce9801f2fadae23a76f2363482b530be209222650232b78e2bc8e206d847b64e5cb3c4b15061f5a87c1142a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_21\sndkbhuie.exe

Filesize
925KB

MD5
682c72d316320e53161bce69a284ad3f

SHA1
8f79eb95055d5b7e055264cf38b94d9a4715572c

SHA256
d2e86eb3785286cb4820266f48a4aa1cc1d100f14e6acfa966ad4cbafae4c3c2

SHA512
e69cdf3ba5b43a88d2b1b8939cb8f781504206372e14622c092b18041a58a20b00d5f94e53b9866c0bc9235ec0e8a7b42aba0540eeb999294a5f0883d89ec91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_21\sndkbhuie.exe

Filesize
925KB

MD5
682c72d316320e53161bce69a284ad3f

SHA1
8f79eb95055d5b7e055264cf38b94d9a4715572c

SHA256
d2e86eb3785286cb4820266f48a4aa1cc1d100f14e6acfa966ad4cbafae4c3c2

SHA512
e69cdf3ba5b43a88d2b1b8939cb8f781504206372e14622c092b18041a58a20b00d5f94e53b9866c0bc9235ec0e8a7b42aba0540eeb999294a5f0883d89ec91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_5AAE.tmp.exe

Filesize
217KB

MD5
9b806fd0bd716d762711c47fdc887783

SHA1
2881e1da525b16b7c5b8178d7c6c12613983dbda

SHA256
475caa3046685bdfb65538f4a4467b6ce115936736ffce85307da0fcaa55cec7

SHA512
4d898500cd2205fc7701556e22f284b2d47a482c152625123136881471962a0e646172a0364d55d74902f09dbcaf4699a901a7c81ccdd3e419796dab088e6f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_5AAE.tmp.exe

Filesize
217KB

MD5
9b806fd0bd716d762711c47fdc887783

SHA1
2881e1da525b16b7c5b8178d7c6c12613983dbda

SHA256
475caa3046685bdfb65538f4a4467b6ce115936736ffce85307da0fcaa55cec7

SHA512
4d898500cd2205fc7701556e22f284b2d47a482c152625123136881471962a0e646172a0364d55d74902f09dbcaf4699a901a7c81ccdd3e419796dab088e6f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_64B1.tmp.exe

Filesize
8KB

MD5
fa22ef17a3b0bdb50020d4f27ad2feec

SHA1
634ecd4159890f24dce98a71b39a86ffdfd207bd

SHA256
81aa7692e1e20c72d05efa7fcde837f4306a6c95798d49acf734fff49015fc1c

SHA512
fc5e6d9e61df6d5c54a73e44e9a8f82a0df6006d7ab60b1a1199928df6eaf46610d4db53ce18fba84de4b93b29ff23fd17fe4d3d3b9d3afbf44ba65478c89408

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_64B1.tmp.exe

Filesize
8KB

MD5
fa22ef17a3b0bdb50020d4f27ad2feec

SHA1
634ecd4159890f24dce98a71b39a86ffdfd207bd

SHA256
81aa7692e1e20c72d05efa7fcde837f4306a6c95798d49acf734fff49015fc1c

SHA512
fc5e6d9e61df6d5c54a73e44e9a8f82a0df6006d7ab60b1a1199928df6eaf46610d4db53ce18fba84de4b93b29ff23fd17fe4d3d3b9d3afbf44ba65478c89408

Download Submit
C:\Users\Admin\AppData\Local\temp\1_21\uxrdgkv.vbe

Filesize
57KB

MD5
69efd9bd156c6defe5baf348b22f65cf

SHA1
e2ca6026fe7edd588b629e117739ec5072fdd10b

SHA256
baeaf19022f8298209969fc29462b848e38bad2a192c7ece72623afd79b5b6f2

SHA512
ccf6d3a1a10c190f848013a62b5c7050776b38b8fcf3eaeba98f15dec5285a05a64232448c6ff29f40153be4a32330868f0bdf3e593b8b48a2d63d9105aa86ff

Download Submit
memory/1104-159-0x0000000000000000-mapping.dmp

Download
memory/1744-135-0x0000000000000000-mapping.dmp

Download
memory/2084-157-0x0000000000000000-mapping.dmp

Download
memory/3696-152-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/3696-158-0x00007FF895220000-0x00007FF895CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3696-155-0x00007FF895220000-0x00007FF895CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3696-149-0x0000000000000000-mapping.dmp

Download
memory/3696-153-0x00007FF895220000-0x00007FF895CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4304-140-0x0000000000000000-mapping.dmp

Download
memory/4568-145-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4568-141-0x0000000000000000-mapping.dmp

Download
memory/4568-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4568-142-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4772-132-0x0000000000000000-mapping.dmp

Download
memory/5060-146-0x0000000000000000-mapping.dmp

Download
memory/5060-156-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download
memory/5060-154-0x00000000747E0000-0x0000000074D91000-memory.dmp

Filesize
5.7MB

Download