agenttesla | 65c9b0f0953bfb1534836f0077fc7b14edf3c2d06649931cf39c26c7ec9d8f19

General

Target

SHIPPING INVOICE-PACKING LIST DOCS.exe
Size

555KB
MD5

5b7d13236bd0e3f952b7c7b68b04e55d
SHA1

4d4f83b41622cdc8e418681c4c15b7ffc702b421
SHA256

65c9b0f0953bfb1534836f0077fc7b14edf3c2d06649931cf39c26c7ec9d8f19
SHA512

91eed2ee379165f4a316b8cabff80610f7815080650e2eb41db155aa3e7ba629a5739b5ab33fef6ea7dc7b899316bbde1d70243b709350739bc596a02de8d684
SSDEEP

12288:XaZbIZlxbK9ESCYX4XP4upRj19sCdyGIz46mol:XaKxu7R242On9M6mol

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

dkixjr.exedkixjr.exe

pid process

2012 dkixjr.exe
1472 dkixjr.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2012	dkixjr.exe
1472	dkixjr.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

dkixjr.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dkixjr.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dkixjr.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dkixjr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dkixjr.exe

description pid process target process

PID 2012 set thread context of 1472 2012 dkixjr.exe dkixjr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

dkixjr.exe

pid process

1472 dkixjr.exe
1472 dkixjr.exe
1472 dkixjr.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

dkixjr.exe

pid process

2012 dkixjr.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dkixjr.exe

description pid process

Token: SeDebugPrivilege 1472 dkixjr.exe

description	pid	process	target process
PID 2012 set thread context of 1472	2012	dkixjr.exe	dkixjr.exe

pid	process
1472	dkixjr.exe
1472	dkixjr.exe
1472	dkixjr.exe

pid	process
2012	dkixjr.exe

description	pid	process
Token: SeDebugPrivilege	1472	dkixjr.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

SHIPPING INVOICE-PACKING LIST DOCS.exedkixjr.exe

description	pid	process	target process
PID 4772 wrote to memory of 2012	4772	SHIPPING INVOICE-PACKING LIST DOCS.exe	dkixjr.exe
PID 4772 wrote to memory of 2012	4772	SHIPPING INVOICE-PACKING LIST DOCS.exe	dkixjr.exe
PID 4772 wrote to memory of 2012	4772	SHIPPING INVOICE-PACKING LIST DOCS.exe	dkixjr.exe
PID 2012 wrote to memory of 1472	2012	dkixjr.exe	dkixjr.exe
PID 2012 wrote to memory of 1472	2012	dkixjr.exe	dkixjr.exe
PID 2012 wrote to memory of 1472	2012	dkixjr.exe	dkixjr.exe
PID 2012 wrote to memory of 1472	2012	dkixjr.exe	dkixjr.exe

outlook_office_path 1 IoCs

Processes:

dkixjr.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dkixjr.exe

outlook_win_path 1 IoCs

Processes:

dkixjr.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dkixjr.exe

C:\Users\Admin\AppData\Local\Temp\SHIPPING INVOICE-PACKING LIST DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\SHIPPING INVOICE-PACKING LIST DOCS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Local\Temp\dkixjr.exe
"C:\Users\Admin\AppData\Local\Temp\dkixjr.exe" C:\Users\Admin\AppData\Local\Temp\hlhtoeysjn.mr
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\dkixjr.exe
"C:\Users\Admin\AppData\Local\Temp\dkixjr.exe" C:\Users\Admin\AppData\Local\Temp\hlhtoeysjn.mr
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dkixjr.exe
Filesize
333KB

MD5
3530026ab3aa2fb86aa48d3e97ea4e92

SHA1
d0b797210d85a28ee0b8344cc057c7cfad091a91

SHA256
ce1161671512232159adcc0ae8d0d1b71aa87fecacbd916213e05ae8fec6c37b

SHA512
f5c9ced6493a8703ed649eb015e1d544d45b33fe226185d44f2607fdad4256d17872b00c923870e19828a2f1073fc134183d9c43358da6e3d525f9cb439f74c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkixjr.exe
Filesize
333KB

MD5
3530026ab3aa2fb86aa48d3e97ea4e92

SHA1
d0b797210d85a28ee0b8344cc057c7cfad091a91

SHA256
ce1161671512232159adcc0ae8d0d1b71aa87fecacbd916213e05ae8fec6c37b

SHA512
f5c9ced6493a8703ed649eb015e1d544d45b33fe226185d44f2607fdad4256d17872b00c923870e19828a2f1073fc134183d9c43358da6e3d525f9cb439f74c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkixjr.exe
Filesize
333KB

MD5
3530026ab3aa2fb86aa48d3e97ea4e92

SHA1
d0b797210d85a28ee0b8344cc057c7cfad091a91

SHA256
ce1161671512232159adcc0ae8d0d1b71aa87fecacbd916213e05ae8fec6c37b

SHA512
f5c9ced6493a8703ed649eb015e1d544d45b33fe226185d44f2607fdad4256d17872b00c923870e19828a2f1073fc134183d9c43358da6e3d525f9cb439f74c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fksex.wyt
Filesize
295KB

MD5
cf366c6fa3c9ef7a9b1c15463392f530

SHA1
765fb4bb4cc02d322c00f66ccdd812a437565275

SHA256
650a32f883f5fbd02848ee065d89e56adee648786f0b0ffe81c78f8b1a6be45a

SHA512
9a3f3d9fbed61935031c5927bb68ce6f84e8b1d06ef49d0d22b89ecdd55f4ab5921a27c9428bff4bfd3385a05397ccff38dc550a5f74ff1b2179fc69f92cea0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlhtoeysjn.mr
Filesize
5KB

MD5
f63eb37d3310026dbd77c9a413c4a0ad

SHA1
a167b17dfc66e148217ec051c526d24d9cd94df0

SHA256
13ef85bf9408f5338b453a5c52f872e66fec377db87c0675584d65649eca903a

SHA512
7abd2250119e79eed2f97b5168a034ee5f1e5fac95ac49cb16481dc2a36c678ab6561abceba1a017dccba4175757c948cd125af4406d399482291024dc9a2b9b

Download Submit
memory/1472-137-0x0000000000000000-mapping.dmp

Download
memory/1472-140-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1472-139-0x0000000004AE0000-0x0000000005084000-memory.dmp

Filesize
5.6MB

Download
memory/1472-141-0x0000000004A10000-0x0000000004AAC000-memory.dmp

Filesize
624KB

Download
memory/1472-142-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/1472-143-0x0000000005BF0000-0x0000000005C40000-memory.dmp

Filesize
320KB

Download
memory/1472-144-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/1472-145-0x00000000060B0000-0x00000000060BA000-memory.dmp

Filesize
40KB

Download
memory/2012-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads