agenttesla | 6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158

Analysis

max time kernel
144s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
26-11-2022 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe
Size

1.1MB
MD5

a471e88b1cb62af98534d61c26dd1973
SHA1

e9265d4b74ee8b09f60e1ab391691a90d19988ff
SHA256

6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158
SHA512

0954f6dac7062861892394a8daebe248eb93e2e0e56cb2784287479ca80b113725f21a3fde25e791027f10fc580129dbaa84c7a9f6ff63cefb465d3ff1c49f6f
SSDEEP

24576:LAOcZXMungWgkTJgO4KnmdMLFspB6Q7CqF+7f:NrkTmWnmdMLE8Q7m

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 1 IoCs

Processes:

htufvjckrp.exe

pid process

2224 htufvjckrp.exe

pid	process
2224	htufvjckrp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
7 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

htufvjckrp.exe

description pid process target process

PID 2224 set thread context of 4708 2224 htufvjckrp.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
6	api.ipify.org
7	api.ipify.org

description	pid	process	target process
PID 2224 set thread context of 4708	2224	htufvjckrp.exe	RegSvcs.exe

Modifies registry class 2 IoCs

Processes:

6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	WScript.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

htufvjckrp.exeRegSvcs.exe

pid process

2224 htufvjckrp.exe
2224 htufvjckrp.exe
2224 htufvjckrp.exe
2224 htufvjckrp.exe
4708 RegSvcs.exe
4708 RegSvcs.exe
4708 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 4708 RegSvcs.exe

pid	process
2224	htufvjckrp.exe
2224	htufvjckrp.exe
2224	htufvjckrp.exe
2224	htufvjckrp.exe
4708	RegSvcs.exe
4708	RegSvcs.exe
4708	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4708	RegSvcs.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exeWScript.exehtufvjckrp.exe

description	pid	process	target process
PID 2696 wrote to memory of 1916	2696	6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe	WScript.exe
PID 2696 wrote to memory of 1916	2696	6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe	WScript.exe
PID 2696 wrote to memory of 1916	2696	6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe	WScript.exe
PID 1916 wrote to memory of 2224	1916	WScript.exe	htufvjckrp.exe
PID 1916 wrote to memory of 2224	1916	WScript.exe	htufvjckrp.exe
PID 1916 wrote to memory of 2224	1916	WScript.exe	htufvjckrp.exe
PID 2224 wrote to memory of 4708	2224	htufvjckrp.exe	RegSvcs.exe
PID 2224 wrote to memory of 4708	2224	htufvjckrp.exe	RegSvcs.exe
PID 2224 wrote to memory of 4708	2224	htufvjckrp.exe	RegSvcs.exe
PID 2224 wrote to memory of 4708	2224	htufvjckrp.exe	RegSvcs.exe
PID 2224 wrote to memory of 4708	2224	htufvjckrp.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe
"C:\Users\Admin\AppData\Local\Temp\6427b1234b3182b21cfe73e027a9943505033e0ca9c557504051581d77191158.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\6_101\qmanokwuqp.vbe"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\6_101\htufvjckrp.exe
"C:\Users\Admin\AppData\Local\Temp\6_101\htufvjckrp.exe" elfiuvguee.mp3
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6_101\RNCIGF~1.USO

Filesize
432KB

MD5
fbd7d96a2545c74bdc65e04743241591

SHA1
fa3293cc1772e325e661dbd5e5f24cd8f67efea5

SHA256
a4b6a263649a0e487e8076a6890378597c03c7e57673f41cf3d035e33528314a

SHA512
e94f6671542650c84c3b6ef257d0d9bf1f5ec686ca1c03e683b3f0550bc6043499169fc82347b93b990a6baa199afa73b717425762b17e1aae96ebbd04d0feab

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_101\ekvjr.msc

Filesize
49KB

MD5
1977c58b96f809d4e3211b5050bdd267

SHA1
bbb74338a0cfec6e4d3e99051f3e629c92fb80e5

SHA256
8aad2bee320cca9eca5ba06ca2ffd5d3416072734c8c4765f99070fba70b1562

SHA512
02bd9c1cfdeea87e9fc5c6c10e38bace2a36f6e2363b0071bdc82853d4851c4e1d7c33a8acb443eeb6b6ead5512f4968c716ddca71240c874d50e7b9757472a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_101\elfiuvguee.mp3

Filesize
87.0MB

MD5
b6974732f0c9d3a9162a62e95c53e0d0

SHA1
317d6400173f7ef5ce4041d403ade9772ee26e30

SHA256
6ba679b57d7303b032907bfbad29c3168555eefbf06e2bf98549500ae15c37ce

SHA512
651ee89e19feaf3920edaf45ceeb27e510707f5ebe60a79a2c58233c9cfe77115fe5edad6f252acc6256f6cd2d74f26d3abb98aa8ac84e1d1a6da7df804b251a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_101\htufvjckrp.exe

Filesize
922KB

MD5
afd2a35012fed0d02c1bed23c663e961

SHA1
803d2ef99125463fc842c0efde0f40a09667a9f4

SHA256
d2fad1d9a4792b08eb3f1ac04332473760046bc3212d12a2afef127731d930d5

SHA512
1d8262324a7037e0ca41efee51e6f078c845799bddeaf2d88a63e0db4ed709234960fb0f8eadb68d7e06fd96eca3b8502fc7c7cc5b6525e845a15e920ae80192

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_101\htufvjckrp.exe

Filesize
922KB

MD5
afd2a35012fed0d02c1bed23c663e961

SHA1
803d2ef99125463fc842c0efde0f40a09667a9f4

SHA256
d2fad1d9a4792b08eb3f1ac04332473760046bc3212d12a2afef127731d930d5

SHA512
1d8262324a7037e0ca41efee51e6f078c845799bddeaf2d88a63e0db4ed709234960fb0f8eadb68d7e06fd96eca3b8502fc7c7cc5b6525e845a15e920ae80192

Download Submit
C:\Users\Admin\AppData\Local\temp\6_101\qmanokwuqp.vbe

Filesize
46KB

MD5
70fdcdeda0624ad8472efa1d5e4626dc

SHA1
4c1c56e66fb649e162bee72409ff8cc3ab020d55

SHA256
4f57890d435562f02d121df3420a8af22be503fd2d92b562e009bb7374db2872

SHA512
5429d7b00360bcf4eae8296a72e57063cdf7f0ff85d186ae5fae32f229474213a4d942692b41ca403fe80b8980acd3546778c2171a7b4c218511f59ceedb6a19

Download Submit
memory/1916-181-0x0000000000000000-mapping.dmp

Download
memory/1916-184-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1916-183-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/1916-182-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2224-279-0x0000000000000000-mapping.dmp

Download
memory/2696-160-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-166-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-133-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-134-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-135-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-136-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-137-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-138-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-139-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-140-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-141-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-142-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-143-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-144-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-145-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-146-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-147-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-148-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-149-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-150-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-151-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-152-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-153-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-154-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-155-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-156-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-157-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-158-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-159-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-120-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-161-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-162-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-163-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-164-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-165-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-132-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-167-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-168-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-170-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-169-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-171-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-172-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-173-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-174-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-175-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-176-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-177-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-178-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-179-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-180-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-131-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-130-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-129-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-128-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-127-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-126-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-125-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-124-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-123-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-122-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-121-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/4708-352-0x0000000000537BAE-mapping.dmp

Download
memory/4708-385-0x0000000000500000-0x000000000053C000-memory.dmp

Filesize
240KB

Download
memory/4708-389-0x0000000005460000-0x000000000595E000-memory.dmp

Filesize
5.0MB

Download
memory/4708-403-0x00000000050E0000-0x000000000517C000-memory.dmp

Filesize
624KB

Download
memory/4708-413-0x0000000005380000-0x0000000005398000-memory.dmp

Filesize
96KB

Download
memory/4708-415-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/4708-444-0x00000000065C0000-0x0000000006652000-memory.dmp

Filesize
584KB

Download
memory/4708-447-0x00000000065A0000-0x00000000065AA000-memory.dmp

Filesize
40KB

Download