agenttesla | aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece

General

Target

aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe
Size

900KB
MD5

c68e2fbcf0d6aa032d875eda9d5064f1
SHA1

2a21c0df2831bf8b91c40031f9357afca0adfc72
SHA256

aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece
SHA512

c1299d8f7c8893dffd7012f13dd3f03d6ede311c3029514f4d5c3b6257809642e0b5ae1ac0dcc8f6ae4fde4ec9000129e3ab69ad8d0d2760baed3abc3e088073
SSDEEP

6144:QRB3vG8NWZg1ekK2faTCrT8qi43C2bRjgDybJ6yiszBSN+kWAbjouwootyL:muc7KTqi4/pOybhiWBQuuwootyL

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1708-82-0x0000000000400000-0x0000000000471000-memory.dmp	family_agenttesla
behavioral1/memory/1708-83-0x0000000000400000-0x00000000004E2000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

exxplorer.exeexxplorer.exe

pid process

1164 exxplorer.exe
1708 exxplorer.exe

pid	process
1164	exxplorer.exe
1708	exxplorer.exe

Loads dropped DLL 2 IoCs

Processes:

aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe

pid	process
1168	aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe
1168	aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

exxplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	exxplorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	exxplorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	exxplorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry Key Name = "C:\\Users\\Admin\\subfolder\\exxplorer.vbs -rb"	WScript.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exeexxplorer.exeexxplorer.exe

pid process

1168 aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe
1164 exxplorer.exe
1708 exxplorer.exe
1708 exxplorer.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

exxplorer.exe

description pid process target process

PID 1164 set thread context of 1708 1164 exxplorer.exe exxplorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

exxplorer.exe

pid process

1708 exxplorer.exe
1708 exxplorer.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

exxplorer.exe

description pid process

Token: SeDebugPrivilege 1708 exxplorer.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exeexxplorer.exe

pid process

1168 aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe
1164 exxplorer.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

exxplorer.exe

pid process

1708 exxplorer.exe

description	pid	process	target process
PID 1164 set thread context of 1708	1164	exxplorer.exe	exxplorer.exe

pid	process
1708	exxplorer.exe
1708	exxplorer.exe

description	pid	process
Token: SeDebugPrivilege	1708	exxplorer.exe

pid	process
1708	exxplorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exeexxplorer.exe

description	pid	process	target process
PID 1168 wrote to memory of 1920	1168	aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe	WScript.exe
PID 1168 wrote to memory of 1920	1168	aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe	WScript.exe
PID 1168 wrote to memory of 1920	1168	aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe	WScript.exe
PID 1168 wrote to memory of 1920	1168	aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe	WScript.exe
PID 1168 wrote to memory of 1164	1168	aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe	exxplorer.exe
PID 1168 wrote to memory of 1164	1168	aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe	exxplorer.exe
PID 1168 wrote to memory of 1164	1168	aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe	exxplorer.exe
PID 1168 wrote to memory of 1164	1168	aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe	exxplorer.exe
PID 1164 wrote to memory of 1708	1164	exxplorer.exe	exxplorer.exe
PID 1164 wrote to memory of 1708	1164	exxplorer.exe	exxplorer.exe
PID 1164 wrote to memory of 1708	1164	exxplorer.exe	exxplorer.exe
PID 1164 wrote to memory of 1708	1164	exxplorer.exe	exxplorer.exe

outlook_office_path 1 IoCs

Processes:

exxplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	exxplorer.exe

outlook_win_path 1 IoCs

Processes:

exxplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	exxplorer.exe

C:\Users\Admin\AppData\Local\Temp\aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe
"C:\Users\Admin\AppData\Local\Temp\aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\subfolder\exxplorer.vbs"
2⤵
- Adds Run key to start application
PID:1920

C:\Users\Admin\subfolder\exxplorer.exe
"C:\Users\Admin\subfolder\exxplorer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\subfolder\exxplorer.exe
"C:\Users\Admin\subfolder\exxplorer.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- outlook_office_path
- outlook_win_path
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\subfolder\exxplorer.exe
Filesize
900KB

MD5
c68e2fbcf0d6aa032d875eda9d5064f1

SHA1
2a21c0df2831bf8b91c40031f9357afca0adfc72

SHA256
aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece

SHA512
c1299d8f7c8893dffd7012f13dd3f03d6ede311c3029514f4d5c3b6257809642e0b5ae1ac0dcc8f6ae4fde4ec9000129e3ab69ad8d0d2760baed3abc3e088073

Download Submit
C:\Users\Admin\subfolder\exxplorer.exe
Filesize
900KB

MD5
c68e2fbcf0d6aa032d875eda9d5064f1

SHA1
2a21c0df2831bf8b91c40031f9357afca0adfc72

SHA256
aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece

SHA512
c1299d8f7c8893dffd7012f13dd3f03d6ede311c3029514f4d5c3b6257809642e0b5ae1ac0dcc8f6ae4fde4ec9000129e3ab69ad8d0d2760baed3abc3e088073

Download Submit
C:\Users\Admin\subfolder\exxplorer.exe
Filesize
900KB

MD5
c68e2fbcf0d6aa032d875eda9d5064f1

SHA1
2a21c0df2831bf8b91c40031f9357afca0adfc72

SHA256
aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece

SHA512
c1299d8f7c8893dffd7012f13dd3f03d6ede311c3029514f4d5c3b6257809642e0b5ae1ac0dcc8f6ae4fde4ec9000129e3ab69ad8d0d2760baed3abc3e088073

Download Submit
C:\Users\Admin\subfolder\exxplorer.vbs
Filesize
1020B

MD5
668f506c439afb55333ce3f63411948d

SHA1
15001d94551585eb214ebaf016a6dd8e3b1e8330

SHA256
ca65c8d391b536df542e2f9bdced0f1a1f72b70e6864b555cf11de64100e0986

SHA512
1d902fdf07402483dd212bd3407e0a432bd6347bca620b2ff809d2659842bb16b627b488094798e3e0df6ca9a84f8be7cdfdf9998b65d2f255c29be26ee8bb0b

Download Submit
\Users\Admin\subfolder\exxplorer.exe
Filesize
900KB

MD5
c68e2fbcf0d6aa032d875eda9d5064f1

SHA1
2a21c0df2831bf8b91c40031f9357afca0adfc72

SHA256
aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece

SHA512
c1299d8f7c8893dffd7012f13dd3f03d6ede311c3029514f4d5c3b6257809642e0b5ae1ac0dcc8f6ae4fde4ec9000129e3ab69ad8d0d2760baed3abc3e088073

Download Submit
\Users\Admin\subfolder\exxplorer.exe
Filesize
900KB

MD5
c68e2fbcf0d6aa032d875eda9d5064f1

SHA1
2a21c0df2831bf8b91c40031f9357afca0adfc72

SHA256
aee41e3294113fd8de0408c5b4fe8e3091360ed7dfe330de01f354cf9312fece

SHA512
c1299d8f7c8893dffd7012f13dd3f03d6ede311c3029514f4d5c3b6257809642e0b5ae1ac0dcc8f6ae4fde4ec9000129e3ab69ad8d0d2760baed3abc3e088073

Download Submit
memory/1164-73-0x0000000077370000-0x0000000077519000-memory.dmp

Filesize
1.7MB

Download
memory/1164-79-0x0000000077550000-0x00000000776D0000-memory.dmp

Filesize
1.5MB

Download
memory/1164-78-0x00000000002D0000-0x00000000002E8000-memory.dmp

Filesize
96KB

Download
memory/1164-62-0x0000000000000000-mapping.dmp

Download
memory/1164-74-0x0000000077550000-0x00000000776D0000-memory.dmp

Filesize
1.5MB

Download
memory/1168-67-0x0000000077370000-0x0000000077519000-memory.dmp

Filesize
1.7MB

Download
memory/1168-57-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1168-56-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/1168-65-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/1168-69-0x0000000077550000-0x00000000776D0000-memory.dmp

Filesize
1.5MB

Download
memory/1708-85-0x0000000077550000-0x00000000776D0000-memory.dmp

Filesize
1.5MB

Download
memory/1708-76-0x00000000004BF77D-mapping.dmp

Download
memory/1708-82-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1708-83-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1708-84-0x0000000077370000-0x0000000077519000-memory.dmp

Filesize
1.7MB

Download
memory/1708-86-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1708-87-0x00000000002B0000-0x00000000002C8000-memory.dmp

Filesize
96KB

Download
memory/1708-88-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1920-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads