agenttesla | 0c73e5c8bb0945f67b5226bb5898a71cf41db95f1f1c442188167522b616d830

Analysis

max time kernel
57s
max time network
64s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
29-11-2022 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA.exe
Size

575KB
MD5

4a3444b41e9b7311c8221e2e5fd279a4
SHA1

04b2b70b48c06d4b4ec50facc5b1b85bba070736
SHA256

0c73e5c8bb0945f67b5226bb5898a71cf41db95f1f1c442188167522b616d830
SHA512

ce103dd445aa6a38a975524bfe17aae3b0b4864c83b56f352680d8b4cb67bc18450ed577bd1b54176fd0c84ae19984986943aeb9d178044c28fa89c568df567a
SSDEEP

12288:cMkzrbETCltHskFgFwIyXCDo921TFji989AnMlsEpkOaj69:M76CjskFgqIyXjMBtAnasgkOaj

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5745656562:AAEWafwrgUiORYk4Z5mN1SY726IYW3inkfw/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

SOA.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SOA.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SOA.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SOA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SOA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\DnDcR = "C:\\Users\\Admin\\AppData\\Roaming\\DnDcR\\DnDcR.exe"	SOA.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 api.ipify.org
15 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

SOA.exe

description pid process target process

PID 3048 set thread context of 4592 3048 SOA.exe SOA.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4252 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

SOA.exeSOA.exe

pid process

3048 SOA.exe
4592 SOA.exe
4592 SOA.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SOA.exeSOA.exe

description pid process

Token: SeDebugPrivilege 3048 SOA.exe
Token: SeDebugPrivilege 4592 SOA.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SOA.exe

pid process

4592 SOA.exe

flow	ioc
14	api.ipify.org
15	api.ipify.org

description	pid	process	target process
PID 3048 set thread context of 4592	3048	SOA.exe	SOA.exe

pid	process
4252	schtasks.exe

pid	process
3048	SOA.exe
4592	SOA.exe
4592	SOA.exe

description	pid	process
Token: SeDebugPrivilege	3048	SOA.exe
Token: SeDebugPrivilege	4592	SOA.exe

pid	process
4592	SOA.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

SOA.exe

description	pid	process	target process
PID 3048 wrote to memory of 4252	3048	SOA.exe	schtasks.exe
PID 3048 wrote to memory of 4252	3048	SOA.exe	schtasks.exe
PID 3048 wrote to memory of 4252	3048	SOA.exe	schtasks.exe
PID 3048 wrote to memory of 4592	3048	SOA.exe	SOA.exe
PID 3048 wrote to memory of 4592	3048	SOA.exe	SOA.exe
PID 3048 wrote to memory of 4592	3048	SOA.exe	SOA.exe
PID 3048 wrote to memory of 4592	3048	SOA.exe	SOA.exe
PID 3048 wrote to memory of 4592	3048	SOA.exe	SOA.exe
PID 3048 wrote to memory of 4592	3048	SOA.exe	SOA.exe
PID 3048 wrote to memory of 4592	3048	SOA.exe	SOA.exe
PID 3048 wrote to memory of 4592	3048	SOA.exe	SOA.exe

outlook_office_path 1 IoCs

Processes:

SOA.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SOA.exe

outlook_win_path 1 IoCs

Processes:

SOA.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SOA.exe

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iNqCYZJg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp38C3.tmp"
2⤵
- Creates scheduled task(s)
PID:4252

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA.exe.log
Filesize
1KB

MD5
c3cc52ccca9ff2b6fa8d267fc350ca6b

SHA1
a68d4028333296d222e4afd75dea36fdc98d05f3

SHA256
3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

SHA512
b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp38C3.tmp
Filesize
1KB

MD5
6a7ce2bb3caacbe2a678faf8c978bb0a

SHA1
f000f0020d6ec0dd3f68db85ee4475c858e44eaa

SHA256
ad3d4ac5aca31ea389bd55e95c5cc183722907e15f85afe5a713a5a3162b7cf8

SHA512
33988edc3f85f77ca73892aac5440a953edf976eb82a73acf07620bf965545b7e438dd2354ecdf90a42c877929f6cbc18f2e59a108d31c9e1bc78772b8efdb1e

Download Submit
memory/3048-118-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-117-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-119-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-120-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-121-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-122-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-123-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-124-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-125-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-126-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-129-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-131-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-130-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-128-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-132-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-133-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-127-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-134-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-136-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-137-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-138-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-139-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-135-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-140-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-141-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-142-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-143-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-144-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-145-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-146-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-147-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-148-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-149-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-150-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-151-0x00000000003C0000-0x0000000000456000-memory.dmp

Filesize
600KB

Download
memory/3048-152-0x00000000051C0000-0x00000000056BE000-memory.dmp

Filesize
5.0MB

Download
memory/3048-153-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-154-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/3048-156-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-157-0x0000000004D60000-0x0000000004DFC000-memory.dmp

Filesize
624KB

Download
memory/3048-155-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-158-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-159-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-160-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-161-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-162-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-164-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-165-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-163-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-166-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-167-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-168-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-169-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-170-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-171-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-172-0x0000000004C60000-0x0000000004C6A000-memory.dmp

Filesize
40KB

Download
memory/3048-173-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-175-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-174-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-178-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-180-0x0000000007990000-0x00000000079A2000-memory.dmp

Filesize
72KB

Download
memory/3048-179-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-177-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-181-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-176-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-182-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-183-0x0000000006740000-0x00000000067C0000-memory.dmp

Filesize
512KB

Download
memory/3048-184-0x00000000069C0000-0x00000000069FC000-memory.dmp

Filesize
240KB

Download
memory/3048-185-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-186-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-187-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-188-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4252-194-0x0000000000000000-mapping.dmp

Download
memory/4592-214-0x0000000000437BCE-mapping.dmp

Download
memory/4592-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4592-275-0x00000000054E0000-0x00000000054F8000-memory.dmp

Filesize
96KB

Download
memory/4592-277-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download