agenttesla | bb3fdd08cbbf3f8a1ac68b9968719290ba713a0cdea09f556a590c4d3819e9c0

General

Target

5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe
Size

788KB
MD5

4252062a013af0c7953e4d14fe646e93
SHA1

ada3f9cf06008cba824e4bcda68f80da99d13893
SHA256

5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d
SHA512

83c9d4e85a378e8d02393315c480dac1e6fab024bb95717e8ef4a9598782e784539374b127836695a6722662d1dc74a54ddc54d6bf02fc2e7c2dcd1a810f6f89
SSDEEP

24576:UraCDwovMPVLs5pcMrQJ63f81b34B5O8f:4aSJMPJGrQJ6vYr4jO8f

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
work-toolz.click
Port:
587
Username:
[email protected]
Password:
3HLkst~=QzD3

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
work-toolz.click
Port:
587
Username:
[email protected]
Password:
3HLkst~=QzD3

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

LocalNePRdcnFKm.exeLocalNePRdcnFKm.exe

pid process

1944 LocalNePRdcnFKm.exe
956 LocalNePRdcnFKm.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

LocalNePRdcnFKm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LocalNePRdcnFKm.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LocalNePRdcnFKm.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LocalNePRdcnFKm.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

LocalNePRdcnFKm.exe

description pid process target process

PID 1944 set thread context of 956 1944 LocalNePRdcnFKm.exe LocalNePRdcnFKm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1072 schtasks.exe

flow	ioc
5	api.ipify.org
4	api.ipify.org

description	pid	process	target process
PID 1944 set thread context of 956	1944	LocalNePRdcnFKm.exe	LocalNePRdcnFKm.exe

pid	process
1072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

LocalNePRdcnFKm.exeLocalNePRdcnFKm.exepowershell.exepowershell.exe

pid	process
1944	LocalNePRdcnFKm.exe
1944	LocalNePRdcnFKm.exe
1944	LocalNePRdcnFKm.exe
1944	LocalNePRdcnFKm.exe
1944	LocalNePRdcnFKm.exe
1944	LocalNePRdcnFKm.exe
1944	LocalNePRdcnFKm.exe
1944	LocalNePRdcnFKm.exe
1944	LocalNePRdcnFKm.exe
1944	LocalNePRdcnFKm.exe
1944	LocalNePRdcnFKm.exe
956	LocalNePRdcnFKm.exe
956	LocalNePRdcnFKm.exe
1648	powershell.exe
1792	powershell.exe
956	LocalNePRdcnFKm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

LocalNePRdcnFKm.exeLocalNePRdcnFKm.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1944	LocalNePRdcnFKm.exe
Token: SeDebugPrivilege	956	LocalNePRdcnFKm.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1476 AcroRd32.exe
1476 AcroRd32.exe
1476 AcroRd32.exe
1476 AcroRd32.exe

pid	process
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exeLocalNePRdcnFKm.exe

description	pid	process	target process
PID 1408 wrote to memory of 1944	1408	5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe	LocalNePRdcnFKm.exe
PID 1408 wrote to memory of 1944	1408	5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe	LocalNePRdcnFKm.exe
PID 1408 wrote to memory of 1944	1408	5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe	LocalNePRdcnFKm.exe
PID 1408 wrote to memory of 1944	1408	5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe	LocalNePRdcnFKm.exe
PID 1408 wrote to memory of 1476	1408	5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe	AcroRd32.exe
PID 1408 wrote to memory of 1476	1408	5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe	AcroRd32.exe
PID 1408 wrote to memory of 1476	1408	5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe	AcroRd32.exe
PID 1408 wrote to memory of 1476	1408	5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe	AcroRd32.exe
PID 1944 wrote to memory of 1792	1944	LocalNePRdcnFKm.exe	powershell.exe
PID 1944 wrote to memory of 1792	1944	LocalNePRdcnFKm.exe	powershell.exe
PID 1944 wrote to memory of 1792	1944	LocalNePRdcnFKm.exe	powershell.exe
PID 1944 wrote to memory of 1792	1944	LocalNePRdcnFKm.exe	powershell.exe
PID 1944 wrote to memory of 1648	1944	LocalNePRdcnFKm.exe	powershell.exe
PID 1944 wrote to memory of 1648	1944	LocalNePRdcnFKm.exe	powershell.exe
PID 1944 wrote to memory of 1648	1944	LocalNePRdcnFKm.exe	powershell.exe
PID 1944 wrote to memory of 1648	1944	LocalNePRdcnFKm.exe	powershell.exe
PID 1944 wrote to memory of 1072	1944	LocalNePRdcnFKm.exe	schtasks.exe
PID 1944 wrote to memory of 1072	1944	LocalNePRdcnFKm.exe	schtasks.exe
PID 1944 wrote to memory of 1072	1944	LocalNePRdcnFKm.exe	schtasks.exe
PID 1944 wrote to memory of 1072	1944	LocalNePRdcnFKm.exe	schtasks.exe
PID 1944 wrote to memory of 956	1944	LocalNePRdcnFKm.exe	LocalNePRdcnFKm.exe
PID 1944 wrote to memory of 956	1944	LocalNePRdcnFKm.exe	LocalNePRdcnFKm.exe
PID 1944 wrote to memory of 956	1944	LocalNePRdcnFKm.exe	LocalNePRdcnFKm.exe
PID 1944 wrote to memory of 956	1944	LocalNePRdcnFKm.exe	LocalNePRdcnFKm.exe
PID 1944 wrote to memory of 956	1944	LocalNePRdcnFKm.exe	LocalNePRdcnFKm.exe
PID 1944 wrote to memory of 956	1944	LocalNePRdcnFKm.exe	LocalNePRdcnFKm.exe
PID 1944 wrote to memory of 956	1944	LocalNePRdcnFKm.exe	LocalNePRdcnFKm.exe
PID 1944 wrote to memory of 956	1944	LocalNePRdcnFKm.exe	LocalNePRdcnFKm.exe
PID 1944 wrote to memory of 956	1944	LocalNePRdcnFKm.exe	LocalNePRdcnFKm.exe

outlook_office_path 1 IoCs

Processes:

LocalNePRdcnFKm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LocalNePRdcnFKm.exe

outlook_win_path 1 IoCs

Processes:

LocalNePRdcnFKm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LocalNePRdcnFKm.exe

C:\Users\Admin\AppData\Local\Temp\5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe
"C:\Users\Admin\AppData\Local\Temp\5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\LocalNePRdcnFKm.exe
"C:\Users\Admin\AppData\LocalNePRdcnFKm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\LocalNePRdcnFKm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mrYHLrofvW.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mrYHLrofvW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp"
3⤵
- Creates scheduled task(s)
PID:1072

C:\Users\Admin\AppData\LocalNePRdcnFKm.exe
"C:\Users\Admin\AppData\LocalNePRdcnFKm.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:956

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\LocalRguquifM_i.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalNePRdcnFKm.exe
Filesize
746KB

MD5
cf358bc6184346eb189370a89efb4faa

SHA1
4cc15bf7e60150cce098c5e905702d3038996e46

SHA256
29e98316caac2dec3ca75404f4abe20a0f8a4ae82b9560e6db20c4ec76b6425b

SHA512
5c8b15c9d1b2f0075674ad34ee3f51ab1f6617b61170722aa91f9a35fca08522bca0d69955ecdc7f9baa0b88ca048160ad7ccf9aec6a27a3aae52f94df1c402f

Download Submit
C:\Users\Admin\AppData\LocalNePRdcnFKm.exe
Filesize
746KB

MD5
cf358bc6184346eb189370a89efb4faa

SHA1
4cc15bf7e60150cce098c5e905702d3038996e46

SHA256
29e98316caac2dec3ca75404f4abe20a0f8a4ae82b9560e6db20c4ec76b6425b

SHA512
5c8b15c9d1b2f0075674ad34ee3f51ab1f6617b61170722aa91f9a35fca08522bca0d69955ecdc7f9baa0b88ca048160ad7ccf9aec6a27a3aae52f94df1c402f

Download Submit
C:\Users\Admin\AppData\LocalNePRdcnFKm.exe
Filesize
746KB

MD5
cf358bc6184346eb189370a89efb4faa

SHA1
4cc15bf7e60150cce098c5e905702d3038996e46

SHA256
29e98316caac2dec3ca75404f4abe20a0f8a4ae82b9560e6db20c4ec76b6425b

SHA512
5c8b15c9d1b2f0075674ad34ee3f51ab1f6617b61170722aa91f9a35fca08522bca0d69955ecdc7f9baa0b88ca048160ad7ccf9aec6a27a3aae52f94df1c402f

Download Submit
C:\Users\Admin\AppData\LocalRguquifM_i.pdf
Filesize
4KB

MD5
6ed5d6c645a65626a8722d0c9e63deba

SHA1
614cba83aff230d5500e93580a2a9bd06bc500ef

SHA256
bc723b24c022a75063ce07bbb96bd8182621c8aea4a37cd3b6c02650b24ed78c

SHA512
c6f97d4d9d05f6f130fc7754f274d820a30790f94e88119b052597cd85e752449455e15a6438d263059e75f3008862e92f9dfa2b7ac2fe1eb5fc56e6f5854a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp
Filesize
1KB

MD5
941538552e197f2b2f09d4602e6c026c

SHA1
ee7d8d5e057e9717f2c4718d46d0983ae8c2c28b

SHA256
891c2ab5a6dac32a0cf4ce00973212245d97046806d9158deacb8f85fe93111c

SHA512
2577779f61c3728e1b34fc1349e54e5cd783e72ec2bb45c14c022d5ac937960e492f5e1a9f95b65243592ea8b221766ef35829a3d2702b7942179b5f1049d6b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e68ed690ca889728adb60ea0d2673f34

SHA1
29b943b53297a30a8801b01a14564ecc0973daba

SHA256
8fff940545c5709e2e96561fd4153a25891c5a977417d1be7c8a0ae0268e433a

SHA512
bb58d387a704858802f8c24a995d44f7ff4bb14a3221a42b6e3c2a329c4cd70dcd2544e56bdc83f7d7b3ad5acd3b29e1a74fc54a5b5b02aa913280e86de265da

Download Submit
memory/956-81-0x000000000043248E-mapping.dmp

Download
memory/956-80-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-78-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-79-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-76-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-75-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-86-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-71-0x0000000000000000-mapping.dmp

Download
memory/1408-54-0x000007FEF3560000-0x000007FEF3F83000-memory.dmp

Filesize
10.1MB

Download
memory/1408-55-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1476-59-0x0000000000000000-mapping.dmp

Download
memory/1476-60-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1648-88-0x000000006CE40000-0x000000006D3EB000-memory.dmp

Filesize
5.7MB

Download
memory/1648-69-0x0000000000000000-mapping.dmp

Download
memory/1648-90-0x000000006CE40000-0x000000006D3EB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-67-0x0000000000000000-mapping.dmp

Download
memory/1792-89-0x000000006CE40000-0x000000006D3EB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-91-0x000000006CE40000-0x000000006D3EB000-memory.dmp

Filesize
5.7MB

Download
memory/1944-65-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/1944-64-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/1944-61-0x0000000000A10000-0x0000000000AD0000-memory.dmp

Filesize
768KB

Download
memory/1944-66-0x0000000005210000-0x0000000005292000-memory.dmp

Filesize
520KB

Download
memory/1944-56-0x0000000000000000-mapping.dmp

Download
memory/1944-74-0x0000000004C40000-0x0000000004C8A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads