agenttesla | 3e8e2a2868f0e729a298541b51105ca23c60b0ffaa2c7b7c89e8a1edc0b2eab7

General

Target

INV-00241.exe
Size

654KB
MD5

4b9d7b1ea4b94c7b9a9c8a7d85578c9d
SHA1

bd580c3c037c244c4c5b820dbb017e14b032b4ec
SHA256

3e8e2a2868f0e729a298541b51105ca23c60b0ffaa2c7b7c89e8a1edc0b2eab7
SHA512

b3ead2fbf3b0e408c0cd2dcc4738c84967321a7c7fe0d673ed7df5400387084f627b8ee7ad6075cff6d1f2f6127d4c85ea9797f12ddf5ab4948fedec82752119
SSDEEP

6144:7BnJ+58yUPAQVBXw5EPSzoBoe2ZP7e4VimiMxu2Kd4Dic8caelU:D+9UPAuA51s2zMcBjxRKrczaL

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.crownoffice.xyz
Port:
587
Username:
[email protected]
Password:
GRACEoverflow123@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

zpfbg.exezpfbg.exe

pid process

968 zpfbg.exe
1640 zpfbg.exe
Loads dropped DLL 2 IoCs

Processes:

INV-00241.exezpfbg.exe

pid process

1064 INV-00241.exe
968 zpfbg.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
968	zpfbg.exe
1640	zpfbg.exe

pid	process
1064	INV-00241.exe
968	zpfbg.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

zpfbg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zpfbg.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zpfbg.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zpfbg.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zpfbg.exezpfbg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yfjvsfmgw = "C:\\Users\\Admin\\AppData\\Roaming\\clbhyuawh\\bvfggtidba.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfbg.exe\" C:\\Users\\Admin\\AppData\\Local"	zpfbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe"	zpfbg.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

zpfbg.exe

description pid process target process

PID 968 set thread context of 1640 968 zpfbg.exe zpfbg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

zpfbg.exe

pid process

1640 zpfbg.exe
1640 zpfbg.exe
1640 zpfbg.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

zpfbg.exe

pid process

968 zpfbg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

zpfbg.exe

description pid process

Token: SeDebugPrivilege 1640 zpfbg.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

zpfbg.exe

pid process

1640 zpfbg.exe

flow	ioc
3	api.ipify.org
4	api.ipify.org

description	pid	process	target process
PID 968 set thread context of 1640	968	zpfbg.exe	zpfbg.exe

pid	process
1640	zpfbg.exe
1640	zpfbg.exe
1640	zpfbg.exe

pid	process
968	zpfbg.exe

description	pid	process
Token: SeDebugPrivilege	1640	zpfbg.exe

pid	process
1640	zpfbg.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

INV-00241.exezpfbg.exe

description	pid	process	target process
PID 1064 wrote to memory of 968	1064	INV-00241.exe	zpfbg.exe
PID 1064 wrote to memory of 968	1064	INV-00241.exe	zpfbg.exe
PID 1064 wrote to memory of 968	1064	INV-00241.exe	zpfbg.exe
PID 1064 wrote to memory of 968	1064	INV-00241.exe	zpfbg.exe
PID 968 wrote to memory of 1640	968	zpfbg.exe	zpfbg.exe
PID 968 wrote to memory of 1640	968	zpfbg.exe	zpfbg.exe
PID 968 wrote to memory of 1640	968	zpfbg.exe	zpfbg.exe
PID 968 wrote to memory of 1640	968	zpfbg.exe	zpfbg.exe
PID 968 wrote to memory of 1640	968	zpfbg.exe	zpfbg.exe

outlook_office_path 1 IoCs

Processes:

zpfbg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zpfbg.exe

outlook_win_path 1 IoCs

Processes:

zpfbg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zpfbg.exe

C:\Users\Admin\AppData\Local\Temp\INV-00241.exe
"C:\Users\Admin\AppData\Local\Temp\INV-00241.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Local\Temp\zpfbg.exe
"C:\Users\Admin\AppData\Local\Temp\zpfbg.exe" C:\Users\Admin\AppData\Local\Temp\mpbnofni.pa
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\zpfbg.exe
"C:\Users\Admin\AppData\Local\Temp\zpfbg.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mpbnofni.pa
Filesize
7KB

MD5
1bfac87a4f48963d6caf5fe27c8c5baf

SHA1
15d56818cee354bf34fd544b006c36919002320b

SHA256
edc1056c39973d312889e8913aeaea4990fd1512208472976904218e46076bb9

SHA512
2c6cca8a450327cf471f09a0c92c01c33dbf5db7d8b2f5d3c3ccf5eb88b68772910176ee80ba2137cef10777006ba955565ce65f1fc3b41da21c581d49377d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwkogxfo.yq
Filesize
239KB

MD5
78ff86f4a6353db5f18ae0ada58b837c

SHA1
e579a54f260bb800174f96192a848dacca6fa159

SHA256
3c958f007e4dde9126480bb111a7bbc7a6094521c2266eca3fad70f3fcac027d

SHA512
defc96d1f27a07b90a278441fcd1aadd41dd22919edf05290aebbb4d1bd525362105e8e070316d463e0efc031bb0ef204fff140d9c93a4456fa8646f8841361e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpfbg.exe
Filesize
12KB

MD5
8ac9e4ec32db5ee3d689497046200d55

SHA1
0aa4eb3ba4bcdbcf89ae5eb137fca4bb9da00675

SHA256
f49087bc394ae7983e0c7b8a54a9d70147dd6874fa1b2bcf3e02ad3c02f1261a

SHA512
60adfc992bf04db4c3902ba696328c3f560364a2f0fc4b989ff4ae6dfc625729f6e86d3ea63dae1cad11d2c4a8609fc9450829dab31d219ea641b480e78623f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpfbg.exe
Filesize
12KB

MD5
8ac9e4ec32db5ee3d689497046200d55

SHA1
0aa4eb3ba4bcdbcf89ae5eb137fca4bb9da00675

SHA256
f49087bc394ae7983e0c7b8a54a9d70147dd6874fa1b2bcf3e02ad3c02f1261a

SHA512
60adfc992bf04db4c3902ba696328c3f560364a2f0fc4b989ff4ae6dfc625729f6e86d3ea63dae1cad11d2c4a8609fc9450829dab31d219ea641b480e78623f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpfbg.exe
Filesize
12KB

MD5
8ac9e4ec32db5ee3d689497046200d55

SHA1
0aa4eb3ba4bcdbcf89ae5eb137fca4bb9da00675

SHA256
f49087bc394ae7983e0c7b8a54a9d70147dd6874fa1b2bcf3e02ad3c02f1261a

SHA512
60adfc992bf04db4c3902ba696328c3f560364a2f0fc4b989ff4ae6dfc625729f6e86d3ea63dae1cad11d2c4a8609fc9450829dab31d219ea641b480e78623f8

Download Submit
\Users\Admin\AppData\Local\Temp\zpfbg.exe
Filesize
12KB

MD5
8ac9e4ec32db5ee3d689497046200d55

SHA1
0aa4eb3ba4bcdbcf89ae5eb137fca4bb9da00675

SHA256
f49087bc394ae7983e0c7b8a54a9d70147dd6874fa1b2bcf3e02ad3c02f1261a

SHA512
60adfc992bf04db4c3902ba696328c3f560364a2f0fc4b989ff4ae6dfc625729f6e86d3ea63dae1cad11d2c4a8609fc9450829dab31d219ea641b480e78623f8

Download Submit
\Users\Admin\AppData\Local\Temp\zpfbg.exe
Filesize
12KB

MD5
8ac9e4ec32db5ee3d689497046200d55

SHA1
0aa4eb3ba4bcdbcf89ae5eb137fca4bb9da00675

SHA256
f49087bc394ae7983e0c7b8a54a9d70147dd6874fa1b2bcf3e02ad3c02f1261a

SHA512
60adfc992bf04db4c3902ba696328c3f560364a2f0fc4b989ff4ae6dfc625729f6e86d3ea63dae1cad11d2c4a8609fc9450829dab31d219ea641b480e78623f8

Download Submit
memory/968-56-0x0000000000000000-mapping.dmp

Download
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1640-63-0x0000000000401896-mapping.dmp

Download
memory/1640-66-0x0000000000640000-0x000000000066E000-memory.dmp

Filesize
184KB

Download
memory/1640-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads