agenttesla | e0aba5ebc59f8ac0f8b7be112da2ee481e30c4da9f213552f76ff7c5056c1ef3

General

Target

2211.exe
Size

653KB
MD5

aeb1becc0f251e643e27c95d2fa1d91b
SHA1

f14bbc296f1da0a6e11993286871f2e9bacff72c
SHA256

8cdd2376c22a3f37faafe3a39f3730b7c03c9e641b729607ca2b083abbc3f05e
SHA512

0f2f2d370b257796b73f227adb055bfdd57621f34198cfabf66eef1dee43c5904263f32a7ce699ef716709dd3119b46639726e571e495533f15a2e8c403c9dec
SSDEEP

12288:ggF5Mgmsq8We1+CGGpKw65AHm9RCBT3g5AnttzyrMNkaM8:ggF5asqb+BFV2RKT/ntMMKaM8

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 4 IoCs

Processes:

bzbvzlhl.exebzbvzlhl.exebzbvzlhl.exebzbvzlhl.exe

pid process

1620 bzbvzlhl.exe
1556 bzbvzlhl.exe
1548 bzbvzlhl.exe
4392 bzbvzlhl.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1620	bzbvzlhl.exe
1556	bzbvzlhl.exe
1548	bzbvzlhl.exe
4392	bzbvzlhl.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

bzbvzlhl.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	bzbvzlhl.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	bzbvzlhl.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	bzbvzlhl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bzbvzlhl.exebzbvzlhl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbhhsudlkg = "C:\\Users\\Admin\\AppData\\Roaming\\aqpvijntejq\\thpai.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\bzbvzlhl.exe\" \"C:\\Users\\Admin\\AppData\\Loca"	bzbvzlhl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MYAPP = "C:\\Users\\Admin\\AppData\\Roaming\\MYAPP\\MYAPP.exe"	bzbvzlhl.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 api.ipify.org
38 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

bzbvzlhl.exe

description pid process target process

PID 1620 set thread context of 4392 1620 bzbvzlhl.exe bzbvzlhl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

bzbvzlhl.exe

pid process

4392 bzbvzlhl.exe
4392 bzbvzlhl.exe
4392 bzbvzlhl.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

bzbvzlhl.exe

pid process

1620 bzbvzlhl.exe
1620 bzbvzlhl.exe
1620 bzbvzlhl.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bzbvzlhl.exe

description pid process

Token: SeDebugPrivilege 4392 bzbvzlhl.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

bzbvzlhl.exe

pid process

1620 bzbvzlhl.exe
1620 bzbvzlhl.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

bzbvzlhl.exe

pid process

1620 bzbvzlhl.exe
1620 bzbvzlhl.exe

flow	ioc
37	api.ipify.org
38	api.ipify.org

description	pid	process	target process
PID 1620 set thread context of 4392	1620	bzbvzlhl.exe	bzbvzlhl.exe

pid	process
4392	bzbvzlhl.exe
4392	bzbvzlhl.exe
4392	bzbvzlhl.exe

pid	process
1620	bzbvzlhl.exe
1620	bzbvzlhl.exe
1620	bzbvzlhl.exe

description	pid	process
Token: SeDebugPrivilege	4392	bzbvzlhl.exe

pid	process
1620	bzbvzlhl.exe
1620	bzbvzlhl.exe

pid	process
1620	bzbvzlhl.exe
1620	bzbvzlhl.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

2211.exebzbvzlhl.exe

description	pid	process	target process
PID 4956 wrote to memory of 1620	4956	2211.exe	bzbvzlhl.exe
PID 4956 wrote to memory of 1620	4956	2211.exe	bzbvzlhl.exe
PID 4956 wrote to memory of 1620	4956	2211.exe	bzbvzlhl.exe
PID 1620 wrote to memory of 1556	1620	bzbvzlhl.exe	bzbvzlhl.exe
PID 1620 wrote to memory of 1556	1620	bzbvzlhl.exe	bzbvzlhl.exe
PID 1620 wrote to memory of 1556	1620	bzbvzlhl.exe	bzbvzlhl.exe
PID 1620 wrote to memory of 1548	1620	bzbvzlhl.exe	bzbvzlhl.exe
PID 1620 wrote to memory of 1548	1620	bzbvzlhl.exe	bzbvzlhl.exe
PID 1620 wrote to memory of 1548	1620	bzbvzlhl.exe	bzbvzlhl.exe
PID 1620 wrote to memory of 4392	1620	bzbvzlhl.exe	bzbvzlhl.exe
PID 1620 wrote to memory of 4392	1620	bzbvzlhl.exe	bzbvzlhl.exe
PID 1620 wrote to memory of 4392	1620	bzbvzlhl.exe	bzbvzlhl.exe
PID 1620 wrote to memory of 4392	1620	bzbvzlhl.exe	bzbvzlhl.exe

outlook_office_path 1 IoCs

Processes:

bzbvzlhl.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	bzbvzlhl.exe

outlook_win_path 1 IoCs

Processes:

bzbvzlhl.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	bzbvzlhl.exe

C:\Users\Admin\AppData\Local\Temp\2211.exe
"C:\Users\Admin\AppData\Local\Temp\2211.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe
"C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe" "C:\Users\Admin\AppData\Local\Temp\ooumeqge.au3"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe
"C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe" "C:\Users\Admin\AppData\Local\Temp\ooumeqge.au3"
3⤵
- Executes dropped EXE
PID:1556

C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe
"C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe" "C:\Users\Admin\AppData\Local\Temp\ooumeqge.au3"
3⤵
- Executes dropped EXE
PID:1548

C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe
"C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe" "C:\Users\Admin\AppData\Local\Temp\ooumeqge.au3"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avqvqsomdl.xb
Filesize
296KB

MD5
51b916511c0aea57ca2897190bb3e539

SHA1
d39eaa300d71355228bcc21a0ec46c4d3f7f0016

SHA256
b15acc30ffbeb3cfb395eb9431b851d1a290351f33fa949d32764766aa970aa9

SHA512
9e6baf8b61509b79e069090eba870df4d8149fd57ac8cd1e57283613f1f0964827e7c80f2a0619edcd3cfeb9db5476f96346c3257b84ccb50b759936894980e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooumeqge.au3
Filesize
5KB

MD5
3269fd188633739100bdb419077af27b

SHA1
3002dc219e2ad8962925a9c5d2eee1f65b013b34

SHA256
f43d648a96bf10e8f16ee249ed7720cb397b5b3ace8984b89394cc3c89d9bd2b

SHA512
036c8a02f6bd7e4b7acc0c5eab35791b7c971c63c9baae228fbdcab535486f4ad93ce4516d77b34c4990a98a90fe3215d1a830989bd08a5c08dc7b5d17a06b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\wbdoha.zm
Filesize
53KB

MD5
4d0605d5d6f7c6d6ab3aa83ec69864b1

SHA1
fb135fb2f48eb124a0483780a937f06ce9e2facf

SHA256
91c90ec3f95d41d190a54c7e27637cebae0749c0db1b805a28729e077e0df0c5

SHA512
abd50e6877e9c9e592afe661b28957b4640e0a0084135e5a35fb955378f9f995693c000d85aff972d4e987ac262400f8e5c7cd40ab8e04a9ed1b8c7d8ac33a40

Download Submit
memory/1548-139-0x0000000000000000-mapping.dmp

Download
memory/1556-138-0x0000000000000000-mapping.dmp

Download
memory/1620-132-0x0000000000000000-mapping.dmp

Download
memory/4392-142-0x0000000000000000-mapping.dmp

Download
memory/4392-144-0x0000000006080000-0x0000000006624000-memory.dmp

Filesize
5.6MB

Download
memory/4392-145-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4392-146-0x00000000059D0000-0x0000000005A6C000-memory.dmp

Filesize
624KB

Download
memory/4392-147-0x0000000006CC0000-0x0000000006D26000-memory.dmp

Filesize
408KB

Download
memory/4392-148-0x0000000007FC0000-0x0000000008010000-memory.dmp

Filesize
320KB

Download
memory/4392-149-0x00000000080B0000-0x0000000008142000-memory.dmp

Filesize
584KB

Download
memory/4392-150-0x0000000006050000-0x000000000605A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads