agenttesla | d077b3075b08a6f6ae384794e0ddd8c6e509a029440ec56f1669288730e70898

General

Target

d077b3075b08a6f6ae384794e0ddd8c6e509a029440ec56f1669288730e70898.exe
Size

458KB
MD5

cd97907dfa59649f4a1b346c4e4b8243
SHA1

470af611c44e77b16e7327816a08141ae6f3d9bc
SHA256

d077b3075b08a6f6ae384794e0ddd8c6e509a029440ec56f1669288730e70898
SHA512

1da9bb16b346f57b596ed7367ecb924a315106ddc4f1f7da633bc2016e6350459f5f00f7154a357deaa2d50464d451bec86801b5fec3edb46bda56f3d3a6a26a
SSDEEP

6144:PBnxm/hZudIIuLp0NmbAGtHFzLmDVSHAkDFt9oS2YE9gagaIw3cjwJYgintgA:LzdIZp2EtBiDVanDFtiS2t6agaW8wt

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

nsbttacwzy.exensbttacwzy.exe

pid process

4516 nsbttacwzy.exe
4536 nsbttacwzy.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4516	nsbttacwzy.exe
4536	nsbttacwzy.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

nsbttacwzy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nsbttacwzy.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nsbttacwzy.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nsbttacwzy.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

nsbttacwzy.exe

description pid process target process

PID 4516 set thread context of 4536 4516 nsbttacwzy.exe nsbttacwzy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

nsbttacwzy.exe

pid process

4536 nsbttacwzy.exe
4536 nsbttacwzy.exe
4536 nsbttacwzy.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

nsbttacwzy.exe

pid process

4516 nsbttacwzy.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nsbttacwzy.exe

description pid process

Token: SeDebugPrivilege 4536 nsbttacwzy.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

nsbttacwzy.exe

pid process

4536 nsbttacwzy.exe

description	pid	process	target process
PID 4516 set thread context of 4536	4516	nsbttacwzy.exe	nsbttacwzy.exe

pid	process
4536	nsbttacwzy.exe
4536	nsbttacwzy.exe
4536	nsbttacwzy.exe

pid	process
4516	nsbttacwzy.exe

description	pid	process
Token: SeDebugPrivilege	4536	nsbttacwzy.exe

pid	process
4536	nsbttacwzy.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

d077b3075b08a6f6ae384794e0ddd8c6e509a029440ec56f1669288730e70898.exensbttacwzy.exe

description	pid	process	target process
PID 1708 wrote to memory of 4516	1708	d077b3075b08a6f6ae384794e0ddd8c6e509a029440ec56f1669288730e70898.exe	nsbttacwzy.exe
PID 1708 wrote to memory of 4516	1708	d077b3075b08a6f6ae384794e0ddd8c6e509a029440ec56f1669288730e70898.exe	nsbttacwzy.exe
PID 1708 wrote to memory of 4516	1708	d077b3075b08a6f6ae384794e0ddd8c6e509a029440ec56f1669288730e70898.exe	nsbttacwzy.exe
PID 4516 wrote to memory of 4536	4516	nsbttacwzy.exe	nsbttacwzy.exe
PID 4516 wrote to memory of 4536	4516	nsbttacwzy.exe	nsbttacwzy.exe
PID 4516 wrote to memory of 4536	4516	nsbttacwzy.exe	nsbttacwzy.exe
PID 4516 wrote to memory of 4536	4516	nsbttacwzy.exe	nsbttacwzy.exe

outlook_office_path 1 IoCs

Processes:

nsbttacwzy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nsbttacwzy.exe

outlook_win_path 1 IoCs

Processes:

nsbttacwzy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nsbttacwzy.exe

C:\Users\Admin\AppData\Local\Temp\d077b3075b08a6f6ae384794e0ddd8c6e509a029440ec56f1669288730e70898.exe
"C:\Users\Admin\AppData\Local\Temp\d077b3075b08a6f6ae384794e0ddd8c6e509a029440ec56f1669288730e70898.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\nsbttacwzy.exe
  "C:\Users\Admin\AppData\Local\Temp\nsbttacwzy.exe" C:\Users\Admin\AppData\Local\Temp\xnalmjcb.vy
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\nsbttacwzy.exe
    "C:\Users\Admin\AppData\Local\Temp\nsbttacwzy.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsbttacwzy.exe

Filesize
13KB

MD5
df65d294fe3ca49efc95270878be44d7

SHA1
3a5979a9f64f1293255c57c314528d51653be28f

SHA256
8e9829db786fd4dd410be1a1caab3a69c7323057bacae66431c9136ef74d8c99

SHA512
110d119bcacfd7984e9060c67875fcafcf9df4b42f90ab8ae5936bc31743133f5b2d74f58e90ef33de67a061434c20e42706ff34d913251026eeaae6086cc6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbttacwzy.exe

Filesize
13KB

MD5
df65d294fe3ca49efc95270878be44d7

SHA1
3a5979a9f64f1293255c57c314528d51653be28f

SHA256
8e9829db786fd4dd410be1a1caab3a69c7323057bacae66431c9136ef74d8c99

SHA512
110d119bcacfd7984e9060c67875fcafcf9df4b42f90ab8ae5936bc31743133f5b2d74f58e90ef33de67a061434c20e42706ff34d913251026eeaae6086cc6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbttacwzy.exe

Filesize
13KB

MD5
df65d294fe3ca49efc95270878be44d7

SHA1
3a5979a9f64f1293255c57c314528d51653be28f

SHA256
8e9829db786fd4dd410be1a1caab3a69c7323057bacae66431c9136ef74d8c99

SHA512
110d119bcacfd7984e9060c67875fcafcf9df4b42f90ab8ae5936bc31743133f5b2d74f58e90ef33de67a061434c20e42706ff34d913251026eeaae6086cc6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlmeduljskn.d

Filesize
274KB

MD5
a34154dfc54f18f556d222ffea3e6979

SHA1
c5804b7040197cf37d8f150b5912d37f5a6d5e92

SHA256
c8416bb988b0d0c0ebcefd1d35f9eb039b8ee62561395cdb4fdbe8799f567d40

SHA512
f5b3f261f28ac8993ee029cbd4e102856004e6cff9c9b8a975ee844659f0b81fc984a6c2c576539d9fdd8daab876922385ba7e4a31a47a1494f9f13932671ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnalmjcb.vy

Filesize
5KB

MD5
9f95b45bb7f5a41cfa3b6bccd0564c0a

SHA1
48fbe063f93ea5396d0963d554e95f1805ad6495

SHA256
c313cc09b85196446f81d4288324a46f076f70da912974d2a5102ab996c76716

SHA512
463b49aa6d05073ff795e6418d2e93e83583309ee14ec5947183cc434f6b212548de1b4453cea7a62ca7d5aadf558459f81bea7bc1db09b851a3ac746ba52f75

Download Submit
memory/4516-132-0x0000000000000000-mapping.dmp

Download
memory/4536-137-0x0000000000000000-mapping.dmp

Download
memory/4536-139-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4536-140-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/4536-141-0x0000000005630000-0x00000000056CC000-memory.dmp

Filesize
624KB

Download
memory/4536-142-0x0000000006520000-0x0000000006586000-memory.dmp

Filesize
408KB

Download
memory/4536-143-0x0000000006F00000-0x0000000006F92000-memory.dmp

Filesize
584KB

Download
memory/4536-144-0x00000000061F0000-0x0000000006240000-memory.dmp

Filesize
320KB

Download
memory/4536-145-0x0000000006260000-0x000000000626A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads