agenttesla | f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822

General

Target

f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe
Size

480KB
MD5

06d253413aa62c1eb72edb9fdc6e2a87
SHA1

a3d8c88b5b9709699c183925ce3ad653491aee9d
SHA256

f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822
SHA512

74eee8077764b41bb10bfdb2f8408af549951abdf9244d0c609de931ba6f847b6653d1088cb4394de875c0f23837b28f712cc4c8161a50d4127206bb669d68bb
SSDEEP

12288:q0aShcx7plNJAYnIKPPfpZlrySug8pG94L3st+s0u5jgbO:q0aSholNJrXdr5ug88ss0s0gEO

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5745656562:AAEWafwrgUiORYk4Z5mN1SY726IYW3inkfw/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exeCasPol.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4AEDA9AD67994E2AA3267C3CA0849E85 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe\""	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DnDcR = "C:\\Users\\Admin\\AppData\\Roaming\\DnDcR\\DnDcR.exe"	CasPol.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

78 api.ipify.org
79 api.ipify.org

flow	ioc
78	api.ipify.org
79	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe

description	pid	process	target process
PID 3956 set thread context of 100	3956	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe	CasPol.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CasPol.exe

pid process

100 CasPol.exe
100 CasPol.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe

pid process

3956 f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe

pid	process
100	CasPol.exe
100	CasPol.exe

pid	process
3956	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exeCasPol.exe

description	pid	process
Token: SeDebugPrivilege	3956	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe
Token: SeDebugPrivilege	3956	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe
Token: SeLoadDriverPrivilege	3956	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe
Token: SeDebugPrivilege	100	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CasPol.exe

pid process

100 CasPol.exe

pid	process
100	CasPol.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe

description	pid	process	target process
PID 3956 wrote to memory of 100	3956	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe	CasPol.exe
PID 3956 wrote to memory of 100	3956	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe	CasPol.exe
PID 3956 wrote to memory of 100	3956	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe	CasPol.exe
PID 3956 wrote to memory of 100	3956	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe	CasPol.exe
PID 3956 wrote to memory of 100	3956	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe	CasPol.exe
PID 3956 wrote to memory of 100	3956	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe	CasPol.exe
PID 3956 wrote to memory of 100	3956	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe	CasPol.exe
PID 3956 wrote to memory of 100	3956	f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe	CasPol.exe

outlook_office_path 1 IoCs

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe

outlook_win_path 1 IoCs

Processes:

CasPol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe

C:\Users\Admin\AppData\Local\Temp\f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe
"C:\Users\Admin\AppData\Local\Temp\f0ffe30cd228800ef89e93b87315c547fde5ec6e3dc8e09485b9004726bbe822.exe"
1⤵
- Sets service image path in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/100-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/100-136-0x0000000000437BCE-mapping.dmp

Download
memory/100-138-0x0000000005D40000-0x00000000062E4000-memory.dmp

Filesize
5.6MB

Download
memory/100-139-0x0000000005790000-0x000000000582C000-memory.dmp

Filesize
624KB

Download
memory/100-140-0x00000000064B0000-0x0000000006516000-memory.dmp

Filesize
408KB

Download
memory/100-141-0x0000000006C70000-0x0000000006CC0000-memory.dmp

Filesize
320KB

Download
memory/100-142-0x0000000006DE0000-0x0000000006E72000-memory.dmp

Filesize
584KB

Download
memory/100-143-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

Filesize
40KB

Download
memory/3956-132-0x0000015D9CF20000-0x0000015D9CF9C000-memory.dmp

Filesize
496KB

Download
memory/3956-133-0x00007FFD9D0A0000-0x00007FFD9DB61000-memory.dmp

Filesize
10.8MB

Download
memory/3956-134-0x00007FFD9D0A0000-0x00007FFD9DB61000-memory.dmp

Filesize
10.8MB

Download
memory/3956-137-0x00007FFD9D0A0000-0x00007FFD9DB61000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads