agenttesla | 76142d7f4c863e413429c8afc13aebf9f0afeddb3be14ee033ba1bd2e89b0741

General

Target

Copia dell'ordine di pagamento.exe
Size

300.1MB
MD5

af75b6039c209b6c31915ca4957adcd8
SHA1

af396a57bd962bbc927143f924d279962eaa9d5c
SHA256

ecc0953d70c3f7f7fce5ef31dd734452a3ba52d63ec4020646c8a999e10d6003
SHA512

b303c246e15c2e705bbf19f3290f073a199249085321bbdc706ab54fa274c43882d8a0379a781c97050bbed12bb51478b6b4cbc9e18d29496303b2bec92896e0
SSDEEP

384:z7MRYI5eLyY9kgbZQAgDNGprbptYcFmVc03Kv:zzI5aT9kgOAgoFtYcFmVc6Kv

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5954474519:AAEGnfW1mRvGRxq-zIAvwJfpKEbhLLiqVaM/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Copia dell'ordine di pagamento.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Copia dell'ordine di pagamento.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Copia dell'ordine di pagamento.exe

description pid process target process

PID 4740 set thread context of 5056 4740 Copia dell'ordine di pagamento.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exeInstallUtil.exe

pid process

3996 powershell.exe
3996 powershell.exe
1944 powershell.exe
1944 powershell.exe
5056 InstallUtil.exe
5056 InstallUtil.exe
5056 InstallUtil.exe

description	pid	process	target process
PID 4740 set thread context of 5056	4740	Copia dell'ordine di pagamento.exe	InstallUtil.exe

pid	process
3996	powershell.exe
3996	powershell.exe
1944	powershell.exe
1944	powershell.exe
5056	InstallUtil.exe
5056	InstallUtil.exe
5056	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeCopia dell'ordine di pagamento.exepowershell.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	4740	Copia dell'ordine di pagamento.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	5056	InstallUtil.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Copia dell'ordine di pagamento.exe

description	pid	process	target process
PID 4740 wrote to memory of 3996	4740	Copia dell'ordine di pagamento.exe	powershell.exe
PID 4740 wrote to memory of 3996	4740	Copia dell'ordine di pagamento.exe	powershell.exe
PID 4740 wrote to memory of 3996	4740	Copia dell'ordine di pagamento.exe	powershell.exe
PID 4740 wrote to memory of 1944	4740	Copia dell'ordine di pagamento.exe	powershell.exe
PID 4740 wrote to memory of 1944	4740	Copia dell'ordine di pagamento.exe	powershell.exe
PID 4740 wrote to memory of 1944	4740	Copia dell'ordine di pagamento.exe	powershell.exe
PID 4740 wrote to memory of 5056	4740	Copia dell'ordine di pagamento.exe	InstallUtil.exe
PID 4740 wrote to memory of 5056	4740	Copia dell'ordine di pagamento.exe	InstallUtil.exe
PID 4740 wrote to memory of 5056	4740	Copia dell'ordine di pagamento.exe	InstallUtil.exe
PID 4740 wrote to memory of 5056	4740	Copia dell'ordine di pagamento.exe	InstallUtil.exe
PID 4740 wrote to memory of 5056	4740	Copia dell'ordine di pagamento.exe	InstallUtil.exe
PID 4740 wrote to memory of 5056	4740	Copia dell'ordine di pagamento.exe	InstallUtil.exe
PID 4740 wrote to memory of 5056	4740	Copia dell'ordine di pagamento.exe	InstallUtil.exe
PID 4740 wrote to memory of 5056	4740	Copia dell'ordine di pagamento.exe	InstallUtil.exe

outlook_office_path 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Copia dell'ordine di pagamento.exe
"C:\Users\Admin\AppData\Local\Temp\Copia dell'ordine di pagamento.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-Date
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANwAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
d298e11b9fd298c6b82030c65eb7ee20

SHA1
b5dc26a4e60b926d1c3ec5852aca8cb85b3cac71

SHA256
25d960ba06d16c6a6fff847137abd061cf13db99af1e37e879b97a616bf36cf4

SHA512
adb257cf2fcb529bd296d4936ae379a3a0c268cec5e6a445bbdb1774af8de59c55da6fdcd85c41108b62bb5464bb08363777da4f957d88d5ca77e2f346cbcd6e

Download Submit
memory/1944-145-0x0000000000000000-mapping.dmp

Download
memory/3996-137-0x00000000059F0000-0x0000000006018000-memory.dmp

Filesize
6.2MB

Download
memory/3996-144-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

Filesize
104KB

Download
memory/3996-134-0x0000000000000000-mapping.dmp

Download
memory/3996-138-0x0000000005970000-0x0000000005992000-memory.dmp

Filesize
136KB

Download
memory/3996-139-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/3996-140-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/3996-135-0x0000000005380000-0x00000000053B6000-memory.dmp

Filesize
216KB

Download
memory/3996-142-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/3996-143-0x0000000008170000-0x00000000087EA000-memory.dmp

Filesize
6.5MB

Download
memory/4740-136-0x0000000006310000-0x00000000063A2000-memory.dmp

Filesize
584KB

Download
memory/4740-141-0x00000000062E0000-0x00000000062EA000-memory.dmp

Filesize
40KB

Download
memory/4740-132-0x0000000000C10000-0x0000000000C28000-memory.dmp

Filesize
96KB

Download
memory/4740-133-0x0000000005B80000-0x0000000006124000-memory.dmp

Filesize
5.6MB

Download
memory/5056-148-0x0000000000000000-mapping.dmp

Download
memory/5056-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5056-150-0x0000000004DA0000-0x0000000004E3C000-memory.dmp

Filesize
624KB

Download
memory/5056-151-0x0000000005DF0000-0x0000000005E40000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads