agenttesla | dc72c7525da8aa1afaadaf707499054dd9be20d0c78318d2f63af1fa37d58546

General

Target

BL-SHIPPING DOCUMENTS.exe
Size

478KB
MD5

69fe54a9cafee09f25e0d3f7a51488c7
SHA1

747373a2640c7fca04258681c7ec313be3b0db24
SHA256

dc72c7525da8aa1afaadaf707499054dd9be20d0c78318d2f63af1fa37d58546
SHA512

4230111e1b90da8e5d628bcfd16f9381cb24e9c0e31d3772798ea5bf78c711bc2634bf0343f323d094f23f587b6be5fd41f7828323d09f8a3ce0506c65a50706
SSDEEP

12288:0ZYJmqS//u3ML7l++F7oNt6YkIwaD2YSHTK:0Sg43ML7cEs8VaYTK

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

BL-SHIPPING DOCUMENTS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	BL-SHIPPING DOCUMENTS.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

BL-SHIPPING DOCUMENTS.exe

description pid process target process

PID 1928 set thread context of 1316 1928 BL-SHIPPING DOCUMENTS.exe CasPol.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

CasPol.exe

pid process

1316 CasPol.exe
1316 CasPol.exe
1316 CasPol.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

BL-SHIPPING DOCUMENTS.exe

pid process

1928 BL-SHIPPING DOCUMENTS.exe

description	pid	process	target process
PID 1928 set thread context of 1316	1928	BL-SHIPPING DOCUMENTS.exe	CasPol.exe

pid	process
1316	CasPol.exe
1316	CasPol.exe
1316	CasPol.exe

pid	process
1928	BL-SHIPPING DOCUMENTS.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

BL-SHIPPING DOCUMENTS.exeCasPol.exe

description	pid	process
Token: SeDebugPrivilege	1928	BL-SHIPPING DOCUMENTS.exe
Token: SeLoadDriverPrivilege	1928	BL-SHIPPING DOCUMENTS.exe
Token: SeDebugPrivilege	1316	CasPol.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

BL-SHIPPING DOCUMENTS.exe

description	pid	process	target process
PID 1928 wrote to memory of 1316	1928	BL-SHIPPING DOCUMENTS.exe	CasPol.exe
PID 1928 wrote to memory of 1316	1928	BL-SHIPPING DOCUMENTS.exe	CasPol.exe
PID 1928 wrote to memory of 1316	1928	BL-SHIPPING DOCUMENTS.exe	CasPol.exe
PID 1928 wrote to memory of 1316	1928	BL-SHIPPING DOCUMENTS.exe	CasPol.exe
PID 1928 wrote to memory of 1316	1928	BL-SHIPPING DOCUMENTS.exe	CasPol.exe
PID 1928 wrote to memory of 1316	1928	BL-SHIPPING DOCUMENTS.exe	CasPol.exe
PID 1928 wrote to memory of 1316	1928	BL-SHIPPING DOCUMENTS.exe	CasPol.exe
PID 1928 wrote to memory of 1316	1928	BL-SHIPPING DOCUMENTS.exe	CasPol.exe
PID 1928 wrote to memory of 1316	1928	BL-SHIPPING DOCUMENTS.exe	CasPol.exe

outlook_office_path 1 IoCs

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe

outlook_win_path 1 IoCs

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe

C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1316

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1316-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1316-57-0x0000000000437AAE-mapping.dmp

Download
memory/1316-59-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1316-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1316-62-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1928-54-0x0000000000A50000-0x0000000000ACC000-memory.dmp

Filesize
496KB

Download
memory/1928-55-0x0000000000960000-0x00000000009DA000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads